www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kristoffer Eriksson <...@pkmab.se>
Subject general/8222: Unexpected status code in reply to Code Red URL
Date Wed, 22 Aug 2001 08:26:00 GMT

>Number:         8222
>Category:       general
>Synopsis:       Unexpected status code in reply to Code Red URL
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Wed Aug 22 01:30:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     ske@pkmab.se
>Release:        1.3.6
>Organization:
apache
>Environment:
Red Hat
Linux draco 2.0.36 #4 Tue Mar 16 12:30:09 MET 1999 i586
>Description:
The Code Red worm is obviously quite busy on the net currently, and I'm seeing plenty of it
in the log files for our Apache web server.

Usually I would expect those URLs to be logged with a status code of 404. That's also what
I've seen in excerpts of logs from other people. But in our logs, I see a status code of mostly
status 400 and in perhaps 40% of the cases status 200. Also, I would expect the error log
to contain another entry about the requested file not being found, but it doesn't. 

This seems strange to me. I wonder why this is so, and whether this indicates a problem with
our server. And whether or not it does, I'm still curious as to the cause of it.

Also, I can't find any difference between the URLs that produce status 200 and those that
produce status 400. They're completely identical, as far as I can see in the log.

Okey, I know we're running an old version of Apache. But I tried searching the change log
for the 1.3 tree, and didn't find anything about changes to the use of these status codes
or the logging of them. Have there been changes that would explain this anyway? I wouldn't
want to just upgrade and see the problem just go away without any explanation anyway, especially
if it could be security related.
>How-To-Repeat:
I don't know. When I try to reproduce this manually by calling the server with the same URL
that I find in the log, I always get the expected status code 404 and an entry about the requested
file in the error log too.

All you have to do though, is connect to the internet and with a while for a real Code Red
worm to call you.

Here are two log entries with status code 400 and 200:

61.156.162.2 - - [21/Aug/2001:10:02:31 +0200]
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 283

61.170.140.38 - - [21/Aug/2001:10:05:27 +0200] 
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 -

And I certainly don't have any "default.ida" files.

>Fix:
No.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message