Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Message-ID: <00c801c27164$f17462c0$9a31e10c@andrew>
From: "Andrew Darrow" <vrspectre@attbi.com>
To: <users@httpd.apache.org>
References: <sda67b10.016@hamail.harlingen.tstc.edu>
Date: Fri, 11 Oct 2002 13:29:47 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [users@httpd] Apache 2.0.43 doesn't respond with 404 forGET
 default.ida

Thanks you guys

That's what I had read on a couple of sites. But I wasn't quite sure if they
were getting in through the indexing service. The thing that I'm currently
worried about is that there was that code red virus in my firewall's folder.
So somehow the person got through my firewall. And the only port that I have
open and unprotected is 80 so apache now takes over the security for that
port. So either someone tried to crash my web server then just hacked
through my firewall and planted it. Or they hacked through apache itself. Is
there a way to tell which one it was that happened? My firewall detected no
more attempts after the computer was restarted and code red implanted. Also
the apache log has nothing else there. Until like 2 hours later when the
normal script kiddie probs happen.


----- Original Message -----
From: "craig franke" <craig.franke@harlingen.tstc.edu>
To: <users@httpd.apache.org>
Sent: Friday, October 11, 2002 5:17 AM
Subject: Re: [users@httpd] Apache 2.0.43 doesn't respond with 404 forGET
default.ida


Plus this hack doesn't affect Apache at all [except for the junk traffic
associated with it]... only unpatched IIS servers... Apache users just get
to see long junk entries in their log files :)

>>> info@orangexl.com 10/11/02 06:48AM >>>
Apache responded with a 400 BAD REQUEST ("Client sent malformed Host
header") which is the correct reply. Nothing will happen to you because
Apache return a 400 instead of a 404, since the are both error-messages.
Apache doesn't eveb try to look for the requested file...

----- Original Message -----
From: "Andrew Darrow" <vrspectre@attbi.com>
To: <users@httpd.apache.org>
Sent: Friday, October 11, 2002 10:05 AM
Subject: [users@httpd] Apache 2.0.43 doesn't respond with 404 for GET
default.ida


> My firewall (BlackIce 3.5cdf) has picked up 2 apparently successful
> attempts on my system. The event reads as "Code Red I" each time. I am
> running Win 2000 Pro with Apache 2.0.43. Below are the portions of apache
> log that are appropriate.
>
> The error log reads : "[Thu Oct 10 23:18:40 2002] [error] [client
> 63.148.133.***] Client sent malformed Host header"
>
> The access log reads: 63.148.133.*** - - [10/Oct/2002:23:18:40 -0700] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 309
>
> I searched the net and found that this particular vulnerability is caused
by
> Indexing Services and the IIS web server. I am not running an IIS server,
> however the indexing service was installed. It  has since been removed.
What
> has me concerned is that my antivirus program detects the code red virus
in
> the BlackIce folder in a file named "evd000.enc". I am able to delete this
> file and my system appears to be clean of the virus. So I appear to not be
> able to contract the virus in this manner, but the part that has me
> concerned is that apache did not return a 404 to this request. I have read
> material on this particular attack that said it should. So obviously I've
> got something setup wrong, but I don't know what. And also, am I correct
in
> assuming that removing the indexing service would prevent this
> vulnerability?
>
> BTW: I particularly enjoyed the "How to ask questions the smart way." Very
> entertaining! My thanks to Eric and Rick for putting a smile on my face in
> this otherwise dismal night.
>
> Many thanks in advance
> Andrew
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org