www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Pratt <enk...@cliffp.com>
Subject Re: general/8222: Unexpected status code in reply to Code Red URL
Date Wed, 22 Aug 2001 11:00:57 GMT
I can confirm this. I have seen it too.

Cheers,

Cliff

Kristoffer Eriksson wrote:
> 
> >Number:         8222
> >Category:       general
> >Synopsis:       Unexpected status code in reply to Code Red URL
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       medium
> >Responsible:    apache
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          support
> >Submitter-Id:   apache
> >Arrival-Date:   Wed Aug 22 01:30:01 PDT 2001
> >Closed-Date:
> >Last-Modified:
> >Originator:     ske@pkmab.se
> >Release:        1.3.6
> >Organization:
> apache
> >Environment:
> Red Hat
> Linux draco 2.0.36 #4 Tue Mar 16 12:30:09 MET 1999 i586
> >Description:
> The Code Red worm is obviously quite busy on the net currently, and I'm seeing plenty
of it in the log files for our Apache web server.
> 
> Usually I would expect those URLs to be logged with a status code of 404. That's also
what I've seen in excerpts of logs from other people. But in our logs, I see a status code
of mostly status 400 and in perhaps 40% of the cases status 200. Also, I would expect the
error log to contain another entry about the requested file not being found, but it doesn't.
> 
> This seems strange to me. I wonder why this is so, and whether this indicates a problem
with our server. And whether or not it does, I'm still curious as to the cause of it.
> 
> Also, I can't find any difference between the URLs that produce status 200 and those
that produce status 400. They're completely identical, as far as I can see in the log.
> 
> Okey, I know we're running an old version of Apache. But I tried searching the change
log for the 1.3 tree, and didn't find anything about changes to the use of these status codes
or the logging of them. Have there been changes that would explain this anyway? I wouldn't
want to just upgrade and see the problem just go away without any explanation anyway, especially
if it could be security related.
> >How-To-Repeat:
> I don't know. When I try to reproduce this manually by calling the server with the same
URL that I find in the log, I always get the expected status code 404 and an entry about the
requested file in the error log too.
> 
> All you have to do though, is connect to the internet and with a while for a real Code
Red worm to call you.
> 
> Here are two log entries with status code 400 and 200:
> 
> 61.156.162.2 - - [21/Aug/2001:10:02:31 +0200]
> "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
> %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 283
> 
> 61.170.140.38 - - [21/Aug/2001:10:05:27 +0200]
> "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
> %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 -
> 
> And I certainly don't have any "default.ida" files.
> 
> >Fix:
> No.
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
>  [In order for any reply to be added to the PR database, you need]
>  [to include <apbugs@Apache.Org> in the Cc line and make sure the]
>  [subject line starts with the report component and number, with ]
>  [or without any 'Re:' prefixes (such as "general/1098:" or      ]
>  ["Re: general/1098:").  If the subject doesn't match this       ]
>  [pattern, your message will be misfiled and ignored.  The       ]
>  ["apbugs" address is not added to the Cc line of messages from  ]
>  [the database automatically because of the potential for mail   ]
>  [loops.  If you do not include this Cc, your reply may be ig-   ]
>  [nored unless you are responding to an explicit request from a  ]
>  [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
> 
>

Mime
View raw message