tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charlie Cox <ccox...@yahoo.com>
Subject FW: Code Red Worm virus
Date Fri, 03 Aug 2001 12:37:12 GMT
I thought I had the latest patch on it(latest critical
update as of Tuesday),but it still sent my inetinfo
spinning. We also had to remove the script
mappings(.ida, etc). Note the service pack put these
back for us when we installed the latest(w2k sp2). I
thought service packs were to close holes, not reopen
them?  That's right, I may have accidentally clicked
on each one, delete and then 'yes' 3 times to remove
all of them :)

I didn't expect that it would cause a problem for me
as I have a uriworkermap.properties setting of:
/* = ajp12

Note that *somehow* IIS still took it upon itself to
process this request. This is still a mystery to me.
It should have gone to tomcat and IIS should have
ignored it. Maybe script mappings take precedence over
ISAPI filters in IIS? 

I only found out what it was by turning off IIS (not
using it for anything else at the moment) and making
tomcat the port 80 owner. (I must admit its nice to be
able to do this) I also installed Randy's
requestLogger(thank you randy) to log requests before
tomcat tried to process it. That is when I saw the
http request posted below.




> -----Original Message-----
> From: Randy Layman
[mailto:randy.layman@aswethink.com]
> Sent: Thursday, August 02, 2001 12:04 PM
> To: tomcat-user@jakarta.apache.org
> Subject: RE: Code Red Worm virus
> 
> 
> 
> 	The message is the virus checking if you are a
vulnerable host.
> Only IIS will respond to the default.ida request. 
This 
> indicates that you
> have been scanned, not infected.  If you don't run
IIS then 
> you don't have a
> problem.  If you run IIS and have installed the
patches from 
> Microsoft then
> you shouldn't have a problem.
> 
> 	Randy
> 
> > -----Original Message-----
> > From: Brandon Cruz [mailto:bcruz@norvax.com]
> > Sent: Thursday, August 02, 2001 12:09 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: RE: Code Red Worm virus
> > 
> > 
> > We are using tomcat-apache and have also seen this
message.  
> > I don't know
> > what causes that either.  I saw it about a month
ago.
> > 
> > Brandon Cruz
> > 
> > 
> > -----Original Message-----
> > From: G.Nagarajan [mailto:gnagarajan@dkf.de]
> > Sent: Thursday, August 02, 2001 10:57 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: RE: Code Red Worm virus
> > 
> > 
> > I think it attacks only IIS web servers.
> > 
> > -----Original Message-----
> > From: David Domenico [mailto:ddomenico@amano.com]
> > Sent: Thursday, August 02, 2001 5:30 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Code Red Worm virus
> > 
> > 
> > I am running Tomcat 3.2.1 standalone for
development 
> > purposes, as a web
> > server using port 80. Yesterday I noticed the
message, see 
> > below, on my
> > Tomcat console window. This is identified as the
"Code Red" 
> > virus as noted
> > in the
http://www.cert.org/advisories/CA-2001-19.html. The 
> > advisory states
> > that the system may not have been compromised, but
I am still 
> > concerned.
> > 
> > I notified our network administrator and he
applied the 
> > neccessary patchs
> > from MS. However I am not running IIS. Does anyone
know of a 
> > problem with
> > Tomcat and the code red virus? I will download the
latest 
> > release build,
> > Tomcat 3.2.3. and install it.
> > 
> > Full  GET
> > 
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > NNNNNNNNNNNNNN
> > NNNN
> >
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > NNNNNNNNNNNNNN
> > NNNN
> >
NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
> > u6858%ucbd3%u7
> > 801%
> >
u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u0
> > 0=a  HTTP/1.0
> > Content-type: text/xmlHOST:www.worm.com Accept:
*/*
> > 
> > 
> > regards,
> > 
> > David Domenico
> > Software Engineer
> > 
> > 
> > "We should take care not to make the intellect our
god; it 
> > has, of course,
> > powerful muscles, but no personality." - Albert
Einstein
> > 
> > 
> > 
> > 
>
**********************************************************************
> > This email and any files transmitted with it are
confidential and
> > intended solely for the use of the individual or
entity to whom they
> > are addressed. If you have received this email in
error 
> please notify
> >                     MIS@Amano.com
> > 
> > This footnote also confirms that this email
message has been swept
> >               for the presence of computer
viruses.
> > 
> > 
>
**********************************************************************
> > 
> > 
> > 
> 


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Mime
View raw message