httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <rob...@profundis.nu>
Subject Re: Worm attack?
Date Tue, 21 May 2002 06:12:38 GMT
I think it looks like Code Red (or clone thereof). I'm no expert, so you
shouldn't trust my word on it, but I don't think you need to worry, as these
worms exploit a buffer overflow bug in some extension which is specific to
IIS on Windows platforms. Do check some on-line virus dictionary, to
identify the attack and see if you need to do anything.

Regards,
Robert Andersson

----- Original Message -----
From: "DownUnder Dan" <danes@image.dk>
To: <users@httpd.apache.org>
Sent: Saturday, May 18, 2002 8:38 AM
Subject: Worm attack?


> Check out these entrities in my Apache Log at 23:54.  www.worm.com is NOT
a local domain.
>
> It seems that the attack kept my server occupied for about 5 minutes.
>
> What can I do about this to prevent it happening again? And what was
attacking? Nimba? Code red?
>
>
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:19 +0200]
"GET /images/clear.gif HTTP/1.1" 200 880
>
> 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET
/shared/desktop/thumbnail.jpg HTTP/1.1" 200 9136
>
> www.execit.dk 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET
/shared/desktop/thumbnail.jpg HTTP/1.1" 200 9136
>
> 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET
/images/velkommen.jpg HTTP/1.1" 200 2140
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:19 +0200]
"GET /images/velkommen.jpg HTTP/1.1" 200 2140
>
> 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET /images/nye.jpg
HTTP/1.1" 200 1206
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:19 +0200]
"GET /images/nye.jpg HTTP/1.1" 200 1206
>
> 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET /images/harduset.gif
HTTP/1.1" 200 10901
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:19 +0200]
"GET /images/harduset.gif HTTP/1.1" 200 10901
>
> 217.157.173.124 - - [17/May/2002:23:51:19 +0200] "GET /images/deerher.jpg
HTTP/1.1" 200 7735
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:19 +0200]
"GET /images/deerher.jpg HTTP/1.1" 200 7735
>
> 217.157.173.124 - - [17/May/2002:23:51:20 +0200] "GET /images/search.gif
HTTP/1.1" 200 1065
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:20 +0200]
"GET /images/search.gif HTTP/1.1" 200 1065
>
> 217.157.173.124 - - [17/May/2002:23:51:20 +0200] "GET /images/menu-bar.jpg
HTTP/1.1" 200 21402
>
> www.odense.lokale.net 217.157.173.124 - - [17/May/2002:23:51:20 +0200]
"GET /images/menu-bar.jpg HTTP/1.1" 200 21402
>
> 63.194.209.109 - - [17/May/2002:23:54:13 +0200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 333
>
> www.worm.com Accept: */* 63.194.209.109 - - [17/May/2002:23:54:13 +0200]
"GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 333
>
> 212.112.128.200 - - [17/May/2002:23:59:35 +0200] "GET /kornblomsten
HTTP/1.1" 301 324
>
> www.aarslev.net 212.112.128.200 - - [17/May/2002:23:59:35 +0200] "GET
/kornblomsten HTTP/1.1" 301 324
>
> 212.112.128.200 - - [17/May/2002:23:59:36 +0200] "GET / HTTP/1.1" 200 379
>
> www.langeskov.net 212.112.128.200 - - [17/May/2002:23:59:36 +0200] "GET /
HTTP/1.1" 200 379
>
> 212.112.128.200 - - [17/May/2002:23:59:46 +0200] "GET / HTTP/1.1" 200 377
>
> www.aarslev.net 212.112.128.200 - - [17/May/2002:23:59:46 +0200] "GET /
HTTP/1.1" 200 377
>
> 195.215.214.166 - - [18/May/2002:00:00:48 +0200] "GET
/enetdata/105-english.htm HTTP/1.1" 200 5258
>
> www.execit.dk 195.215.214.166 - - [18/May/2002:00:00:48 +0200] "GET
/enetdata/105-english.htm HTTP/1.1" 200 5258
>
> 212.112.128.200 - - [18/May/2002:00:01:56 +0200] "GET /murermester
HTTP/1.1" 301 329
>
> www.egebjergnet.dk 212.112.128.200 - - [18/May/2002:00:01:56 +0200] "GET
/murermester HTTP/1.1" 301 329
>
> 212.112.128.200 - - [18/May/2002:00:03:20 +0200] "GET /ollerupgrillen
HTTP/1.1" 301 332
>
> u0078%u0000%u00=a HTTP/1.0" 400 333
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message