This probably isn't appropriate for this list, or at least is more appropriate for other lists, but I'm tired (and about to go to sleep now that I've finally confirmed that none of my friends have been blown up or crushed by falling buildings) and figured the folks here might be likely to have seen this if anyone has. So, has anyone seen an Apache server return a 200 rather than 404 (according to Apache's logs) in response to an attempted Code Red II exploit? I've seen a single occurance of it to date, on a Solaris machine that quite regularly gets such attempts; all of the log entries for those other attempts (both before and since) had the proper 404 response code, but this particular one doesn't: ct740592-a.westprt1.ky.home.com - - [11/Sep/2001:12:21:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 - "-" "-" . I've only tracked down one other example of this mentioned on the web, at <http://www.geocrawler.com/lists/3/Debian-Linux/199/25/6335051/>; Ian, who reported that incident, never figured out what caused it, either. Could anyone who has seen this (or has a good idea of what it is) email me off-list? Thanks, Sweth. -- Sweth Chandramouli ; <svcat_private> President, Idiopathic Systems Consulting
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 11:45:19 PDT