You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kristoffer Eriksson <sk...@pkmab.se> on 2001/08/22 10:26:00 UTC
general/8222: Unexpected status code in reply to Code Red URL
>Number: 8222
>Category: general
>Synopsis: Unexpected status code in reply to Code Red URL
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: support
>Submitter-Id: apache
>Arrival-Date: Wed Aug 22 01:30:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: ske@pkmab.se
>Release: 1.3.6
>Organization:
apache
>Environment:
Red Hat
Linux draco 2.0.36 #4 Tue Mar 16 12:30:09 MET 1999 i586
>Description:
The Code Red worm is obviously quite busy on the net currently, and I'm seeing plenty of it in the log files for our Apache web server.
Usually I would expect those URLs to be logged with a status code of 404. That's also what I've seen in excerpts of logs from other people. But in our logs, I see a status code of mostly status 400 and in perhaps 40% of the cases status 200. Also, I would expect the error log to contain another entry about the requested file not being found, but it doesn't.
This seems strange to me. I wonder why this is so, and whether this indicates a problem with our server. And whether or not it does, I'm still curious as to the cause of it.
Also, I can't find any difference between the URLs that produce status 200 and those that produce status 400. They're completely identical, as far as I can see in the log.
Okey, I know we're running an old version of Apache. But I tried searching the change log for the 1.3 tree, and didn't find anything about changes to the use of these status codes or the logging of them. Have there been changes that would explain this anyway? I wouldn't want to just upgrade and see the problem just go away without any explanation anyway, especially if it could be security related.
>How-To-Repeat:
I don't know. When I try to reproduce this manually by calling the server with the same URL that I find in the log, I always get the expected status code 404 and an entry about the requested file in the error log too.
All you have to do though, is connect to the internet and with a while for a real Code Red worm to call you.
Here are two log entries with status code 400 and 200:
61.156.162.2 - - [21/Aug/2001:10:02:31 +0200]
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 283
61.170.140.38 - - [21/Aug/2001:10:05:27 +0200]
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 -
And I certainly don't have any "default.ida" files.
>Fix:
No.
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
Re: general/8222: Unexpected status code in reply to Code Red URL
Posted by Cliff Pratt <en...@cliffp.com>.
I can confirm this. I have seen it too.
Cheers,
Cliff
Kristoffer Eriksson wrote:
>
> >Number: 8222
> >Category: general
> >Synopsis: Unexpected status code in reply to Code Red URL
> >Confidential: no
> >Severity: non-critical
> >Priority: medium
> >Responsible: apache
> >State: open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class: support
> >Submitter-Id: apache
> >Arrival-Date: Wed Aug 22 01:30:01 PDT 2001
> >Closed-Date:
> >Last-Modified:
> >Originator: ske@pkmab.se
> >Release: 1.3.6
> >Organization:
> apache
> >Environment:
> Red Hat
> Linux draco 2.0.36 #4 Tue Mar 16 12:30:09 MET 1999 i586
> >Description:
> The Code Red worm is obviously quite busy on the net currently, and I'm seeing plenty of it in the log files for our Apache web server.
>
> Usually I would expect those URLs to be logged with a status code of 404. That's also what I've seen in excerpts of logs from other people. But in our logs, I see a status code of mostly status 400 and in perhaps 40% of the cases status 200. Also, I would expect the error log to contain another entry about the requested file not being found, but it doesn't.
>
> This seems strange to me. I wonder why this is so, and whether this indicates a problem with our server. And whether or not it does, I'm still curious as to the cause of it.
>
> Also, I can't find any difference between the URLs that produce status 200 and those that produce status 400. They're completely identical, as far as I can see in the log.
>
> Okey, I know we're running an old version of Apache. But I tried searching the change log for the 1.3 tree, and didn't find anything about changes to the use of these status codes or the logging of them. Have there been changes that would explain this anyway? I wouldn't want to just upgrade and see the problem just go away without any explanation anyway, especially if it could be security related.
> >How-To-Repeat:
> I don't know. When I try to reproduce this manually by calling the server with the same URL that I find in the log, I always get the expected status code 404 and an entry about the requested file in the error log too.
>
> All you have to do though, is connect to the internet and with a while for a real Code Red worm to call you.
>
> Here are two log entries with status code 400 and 200:
>
> 61.156.162.2 - - [21/Aug/2001:10:02:31 +0200]
> "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
> %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 283
>
> 61.170.140.38 - - [21/Aug/2001:10:05:27 +0200]
> "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
> %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 -
>
> And I certainly don't have any "default.ida" files.
>
> >Fix:
> No.
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
> [In order for any reply to be added to the PR database, you need]
> [to include <ap...@Apache.Org> in the Cc line and make sure the]
> [subject line starts with the report component and number, with ]
> [or without any 'Re:' prefixes (such as "general/1098:" or ]
> ["Re: general/1098:"). If the subject doesn't match this ]
> [pattern, your message will be misfiled and ignored. The ]
> ["apbugs" address is not added to the Cc line of messages from ]
> [the database automatically because of the potential for mail ]
> [loops. If you do not include this Cc, your reply may be ig- ]
> [nored unless you are responding to an explicit request from a ]
> [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
>
>