httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Holthaus - Orange XL" <i...@orangexl.com>
Subject Re: [users@httpd] Apache 2.0.43 doesn't respond with 404 for GET default.ida
Date Fri, 11 Oct 2002 11:48:51 GMT
Apache responded with a 400 BAD REQUEST ("Client sent malformed Host
header") which is the correct reply. Nothing will happen to you because
Apache return a 400 instead of a 404, since the are both error-messages.
Apache doesn't eveb try to look for the requested file...

----- Original Message -----
From: "Andrew Darrow" <vrspectre@attbi.com>
To: <users@httpd.apache.org>
Sent: Friday, October 11, 2002 10:05 AM
Subject: [users@httpd] Apache 2.0.43 doesn't respond with 404 for GET
default.ida


> My firewall (BlackIce 3.5cdf) has picked up 2 apparently successful
> attempts on my system. The event reads as "Code Red I" each time. I am
> running Win 2000 Pro with Apache 2.0.43. Below are the portions of apache
> log that are appropriate.
>
> The error log reads : "[Thu Oct 10 23:18:40 2002] [error] [client
> 63.148.133.***] Client sent malformed Host header"
>
> The access log reads: 63.148.133.*** - - [10/Oct/2002:23:18:40 -0700] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 309
>
> I searched the net and found that this particular vulnerability is caused
by
> Indexing Services and the IIS web server. I am not running an IIS server,
> however the indexing service was installed. It  has since been removed.
What
> has me concerned is that my antivirus program detects the code red virus
in
> the BlackIce folder in a file named "evd000.enc". I am able to delete this
> file and my system appears to be clean of the virus. So I appear to not be
> able to contract the virus in this manner, but the part that has me
> concerned is that apache did not return a 404 to this request. I have read
> material on this particular attack that said it should. So obviously I've
> got something setup wrong, but I don't know what. And also, am I correct
in
> assuming that removing the indexing service would prevent this
> vulnerability?
>
> BTW: I particularly enjoyed the "How to ask questions the smart way." Very
> entertaining! My thanks to Eric and Rick for putting a smile on my face in
> this otherwise dismal night.
>
> Many thanks in advance
> Andrew
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message