httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike" <mas...@rmci.net>
Subject RE: [users@httpd] Code Red
Date Sun, 10 Aug 2003 17:26:44 GMT
Along time ago someone gave me this. It's a way to log Code Red and
other cmd's exe attempts. 

This is what I have in my conf file to avoid this kind of kiddies...

....
  SetEnvIf Request_URI MSADC imbecil
  SetEnvIf Request_URI scripts imbecil
  SetEnvIf Request_URI default.ida imbecil
  SetEnvIf Request_URI \.exe$ imbecil
  SetEnvIf Request_URI \.dll$ imbecil
  SetEnvIf Request_URI msadc imbecil
  SetEnvIf Request_URI cgi-bin msadc imbecil
  CustomLog /var/log/httpd/imbecil.log common env=imbecil
....

  ErrorLog /var/log/httpd/error.log
  CustomLog /var/log/httpd/access.log common env=!imbecil

I then use PHP to update a page with this info ;-) 

Mike

-----Original Message-----
From: Robert Andersson [mailto:robert@profundis.nu] 
Sent: Sunday, August 10, 2003 11:07 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Code Red 

First:
1. Do not start a new topic by replying another; it mess up archives
etc.
2. Do not use HTML; make use of Format->Plain Text in OE.

Alfredo Gómez Grande wrote:
> Could anybody tell me what does this virus try to do when accessing
> the port 80?

What CodeRed does (when successful), is to cause an buffer overflow and
execute malicious code on an IIS server.

> I realized that sometimes, in the logfile it returns a code 200 and I
am
> worried of if something had been returned to the visitor.

It is hard to comment on those log lines, as you didn't provide them,
but I
would imaging they were completely legitimate requests.

> It is said that these attacks doesn't affect Apache, but could
somebody
> explain why?

Because they exploit bugs (buffer overflows, in this case) specific to
IIS.
As Apache isn't IIS, it isn't affected by the exploits.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message