Date: Sun, 5 Aug 2001 13:31:38 -0500 From: Mike Meyer <mwm@mired.org> To: Kent Stewart <kstewart@urx.com> Cc: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>, questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <15213.37130.443656.153817@guru.mired.org> In-Reply-To: <3B6D8955.7B346069@urx.com> References: <15213.29533.375904.18788@guru.mired.org> <3B6D8955.7B346069@urx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kent Stewart <kstewart@urx.com> types: > Mike Meyer wrote: > > What scares me is the possibilitity of near-exponential growth of the > > thing. I've put up a plot of hits/hour since it started - at about 9am > > CDT - to now at <URL: http://www.mired.org/codered.ps >. Discount the > > last data point - it only includes about 15 minutes of hits. The large > > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > > and fallen back to ~15/hour. I can understand the levelling out as the > > population of suspect servers approaches saturation, but why is did it > > drop off? Or is the spike just random noise? > Your hit rate is much greater than mine. My complete list of error log > messages are on http://dsl1-160.dynacom.net/code_red.html. The complete > list is only 4 screens of text. That's strange. More commentary on this later. > I am also seeing a mutation. The first error log message was the typical > one but yesterday, the second one also started showing up. There are at least two versions of this worm running around. One defaces the web pages, one doesn't. There are also differences in the random number generators used, the earlier ones using the same PRNG and seed, meaning they'll probe the same list of IP addresses. > [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ > Client sent malformed Host header > [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ > File does not exist: /usr/local/www/data/default.ida I hadn't been counting the first one - it's not mentioned in any of the writeups I saw. I've also got some during the period when code red is supposedly quiescent. While those are likely to be infected hosts with misset clocks, I'm going to leave it as is because 1) I'm more interested in trends than in total numbers, and 2) the totals seem to be at most 4/hour, meaning they are for the most part lost in the noise. One possible explanation for the discrepancy we're seeing in counts is that you somehow overlooked the initial ones that didn't have a malformed host header. Another is that those without a malformed host header are the older worm, and I'm much lower on that fixed list of IP addresses than you are. That doesn't seem likely, as I didn't see any of those until August. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15213.37130.443656.153817>