tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Layman <randy.lay...@aswethink.com>
Subject RE: Code Red Worm virus
Date Fri, 03 Aug 2001 12:17:30 GMT

	I need to warn you (and anyone else using RequestLogger) that a bug
has been detected that will cause it to write basically gibberish to the log
under heavy load (two different threading issues).  I know how to fix it,
but haven't have the time yet (probably this weekend).

	Randy

> -----Original Message-----
> From: Charlie Cox [mailto:ccox995@yahoo.com]
> Sent: Friday, August 03, 2001 8:37 AM
> To: tomcat-user@jakarta.apache.org
> Subject: FW: Code Red Worm virus
> 
> 
> I thought I had the latest patch on it(latest critical
> update as of Tuesday),but it still sent my inetinfo
> spinning. We also had to remove the script
> mappings(.ida, etc). Note the service pack put these
> back for us when we installed the latest(w2k sp2). I
> thought service packs were to close holes, not reopen
> them?  That's right, I may have accidentally clicked
> on each one, delete and then 'yes' 3 times to remove
> all of them :)
> 
> I didn't expect that it would cause a problem for me
> as I have a uriworkermap.properties setting of:
> /* = ajp12
> 
> Note that *somehow* IIS still took it upon itself to
> process this request. This is still a mystery to me.
> It should have gone to tomcat and IIS should have
> ignored it. Maybe script mappings take precedence over
> ISAPI filters in IIS? 
> 
> I only found out what it was by turning off IIS (not
> using it for anything else at the moment) and making
> tomcat the port 80 owner. (I must admit its nice to be
> able to do this) I also installed Randy's
> requestLogger(thank you randy) to log requests before
> tomcat tried to process it. That is when I saw the
> http request posted below.
> 
> 
> 
> 
> > -----Original Message-----
> > From: Randy Layman
> [mailto:randy.layman@aswethink.com]
> > Sent: Thursday, August 02, 2001 12:04 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: RE: Code Red Worm virus
> > 
> > 
> > 
> > 	The message is the virus checking if you are a
> vulnerable host.
> > Only IIS will respond to the default.ida request. 
> This 
> > indicates that you
> > have been scanned, not infected.  If you don't run
> IIS then 
> > you don't have a
> > problem.  If you run IIS and have installed the
> patches from 
> > Microsoft then
> > you shouldn't have a problem.
> > 
> > 	Randy
> > 
> > > -----Original Message-----
> > > From: Brandon Cruz [mailto:bcruz@norvax.com]
> > > Sent: Thursday, August 02, 2001 12:09 PM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: RE: Code Red Worm virus
> > > 
> > > 
> > > We are using tomcat-apache and have also seen this
> message.  
> > > I don't know
> > > what causes that either.  I saw it about a month
> ago.
> > > 
> > > Brandon Cruz
> > > 
> > > 
> > > -----Original Message-----
> > > From: G.Nagarajan [mailto:gnagarajan@dkf.de]
> > > Sent: Thursday, August 02, 2001 10:57 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: RE: Code Red Worm virus
> > > 
> > > 
> > > I think it attacks only IIS web servers.
> > > 
> > > -----Original Message-----
> > > From: David Domenico [mailto:ddomenico@amano.com]
> > > Sent: Thursday, August 02, 2001 5:30 PM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Code Red Worm virus
> > > 
> > > 
> > > I am running Tomcat 3.2.1 standalone for
> development 
> > > purposes, as a web
> > > server using port 80. Yesterday I noticed the
> message, see 
> > > below, on my
> > > Tomcat console window. This is identified as the
> "Code Red" 
> > > virus as noted
> > > in the
> http://www.cert.org/advisories/CA-2001-19.html. The 
> > > advisory states
> > > that the system may not have been compromised, but
> I am still 
> > > concerned.
> > > 
> > > I notified our network administrator and he
> applied the 
> > > neccessary patchs
> > > from MS. However I am not running IIS. Does anyone
> know of a 
> > > problem with
> > > Tomcat and the code red virus? I will download the
> latest 
> > > release build,
> > > Tomcat 3.2.3. and install it.
> > > 
> > > Full  GET
> > > 
> >
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > > NNNNNNNNNNNNNN
> > > NNNN
> > >
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > > NNNNNNNNNNNNNN
> > > NNNN
> > >
> NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
> > > u6858%ucbd3%u7
> > > 801%
> > >
> u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u0
> > > 0=a  HTTP/1.0
> > > Content-type: text/xmlHOST:www.worm.com Accept:
> */*
> > > 
> > > 
> > > regards,
> > > 
> > > David Domenico
> > > Software Engineer
> > > 
> > > 
> > > "We should take care not to make the intellect our
> god; it 
> > > has, of course,
> > > powerful muscles, but no personality." - Albert
> Einstein
> > > 
> > > 
> > > 
> > > 
> >
> **********************************************************************
> > > This email and any files transmitted with it are
> confidential and
> > > intended solely for the use of the individual or
> entity to whom they
> > > are addressed. If you have received this email in
> error 
> > please notify
> > >                     MIS@Amano.com
> > > 
> > > This footnote also confirms that this email
> message has been swept
> > >               for the presence of computer
> viruses.
> > > 
> > > 
> >
> **********************************************************************
> > > 
> > > 
> > > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with 
> Yahoo! Messenger
> http://phonecard.yahoo.com/
> 

Mime
View raw message