httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Forbes, Stephen" <Stephen.For...@calanais.com>
Subject RE: access & error logs -- attempted crack?
Date Thu, 11 Jul 2002 08:41:15 GMT
I'm not 100% sure, but I think this is the string left by the code red worm
that only affects IIS. Its checking for a file in IIS "default.ida" that has
a weakness and can be cracked. Of course your running apache so it should
not matter. If this is an internet facing box, I would not bee too worried,
if it is internal to your company, you have a loose worm.

HTH

Stephen Forbes


> -----Original Message-----
> From: Gary Turner [mailto:kk5st@swbell.net]
> Sent: 11 July 2002 09:39
> To: Apache Users
> Subject: access & error logs -- attempted crack?
> 
> 
> Notice the access and error log excerpts.  Being brand new to this, I
> can only wonder what this is all about.  Are they innocent 
> (unlikely, I
> think) or attempts to get into my box?  Note the one reference to port
> 6667.  Was this a try at using me for chat relay/misdirection?
> 
> Any explanation of these log entries will be deeply appreciated.
> 
> ==========================================================
> 
> From the access.log
> 
> 
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNN61.59.67.62
> - - [10/Jul/2002:19:50:28 -0500] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801
> %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u
> 8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
> 
> 200.165.231.85 - - [10/Jul/2002:20:29:46 -0500] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u685
> 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
> 
> 207.114.6.10 - - [10/Jul/2002:21:32:02 -0500] "CONNECT 
> 207.114.6.11:6667
> HTTP/1.0" 405 307 "-" "-"
> 
> 62.248.37.51 - - [11/Jul/2002:02:38:23 -0500] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u685
> 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 328 "-" "-"
> 
> (notice 207.114.6.10 --> connect 207.114.6.11:6667)
> ===============================================================
> From the error.log
> 
> 
> [Wed Jul 10 08:14:56 2002] [error] [client 65.29.2.20] Client sent
> malformed Host header
> 
> [Wed Jul 10 19:50:28 2002] [error] [client 61.59.67.62] Client sent
> malformed Host header
> [Wed Jul 10 20:29:46 2002] [error] [client 200.165.231.85] Client sent
> malformed Host header
> [Thu Jul 11 02:38:23 2002] [error] [client 62.248.37.51] Client sent
> malformed Host header
> 
> 
> 
> --
> gt
> It ain't so much what you don't know that gets you in trouble---
> it's what you do know that ain't so.--unk
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message