Date: Thu, 7 Mar 2002 22:03:03 -0800 From: "Jeff Jirsa" <jjirsa@hmc.edu> To: "krzysztof Strzelczyk" <cs052279@yahoo.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: Code Red?? Message-ID: <000401c1c666$e87b19b0$5e3bad86@boredom> References: <20020308055639.62629.qmail@web14805.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello,
>
> I've been going through docs and all signs
> indicate that this is a system infected with code red.
Heh, no.
> [Fri Mar 8 00:00:50 2002] [error] [client
> 195.218.232.26] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:06:47 2002] [error] [client
> 217.128.238.66] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:09:46 2002] [error] [client
> 24.61.208.188] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:17:40 2002] [error] [client
> 61.132.208.81] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:26:55 2002] [notice] caught SIGTERM,
> shutting down
>
> If so, does anybody know how to break this down?
You're slightly misled. The default.ida scans are probably looking for a
vulnerable IIS server, but apache certainly isn't vulerable. It happens
almost daily, to everyone (Its happened 73 times to me, since my logs were
rotated last):
# ~ : grep default.ida /usr/local/etc/apache/logs/httpd-access-log | wc -l
73
The message you're seeing is apache not finding the file default.ida (it
would return 404 to the client). It's nothing to be worried about (annoyed,
irritated, maybe, but not worried). I'm assuming the term signal was
something unrelated, like a planned shutdown.
- Jeff Jirsa
jjirsa@hmc.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c1c666$e87b19b0$5e3bad86>