Re: [logs] 200 return code on Code Red II against Apache?

From: Dennis Jenkins (djenkinsat_private)
Date: Thu Sep 13 2001 - 05:14:29 PDT

Next message: Marcus J. Ranum: "Re: [logs] Log rotation tools"

Previous message: DeStefano, Paul: "[logs] RE: [loganalysis] Re: why read your logs?"
In reply to: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: borisat_private: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: Sweth Chandramouli: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: Papo Napolitano: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: borisat_private: "Re: [logs] 200 return code on Code Red II against Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	Oh heck no!!!  I have no such crap^H^H^H^H tool installed.  I have logs
of over 500 code red II hits.  The vast majority are returned by apache
with error 404.  Occasionally, it returns code 200.  I have no idea
why.  The box is a stock Slackware 7.1 Linux serving only static
content.  The apache version is 1.3.12.

JW wrote:
> 
> What is the question: are you wondering why any UNIX box would actually have a default.ida? Well, there are a number of packages that implement Windows functions for UNIX, for example, Sun Microsystems now own Chili!Soft ASP, which is M$ ASP for UNIX. I belive the are similar packages for things besides ASP too.
> 
> Is it possible that the servers in question have something like that installed? Apache FrontPage extensions maybe?
> 
> Also, I recall some people discussing writing a dummy script that actually did something useful, like email the administrator of the client's netblock, or something, reporting the hit.
> 
> At 03:57 PM 9/12/2001 -0500, you wrote:
> >Yes, I have four of them (very odd...)
> >
> >root@www:/var/log/apache# grep "default.ida" usb-access.log  | grep
> >"HTTP/1.0\" 200"
> >192.192.135.153 - - [05/Aug/2001:22:13:19 -0500] "GET
> >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> >HTTP/1.0" 200 -
> >211.41.178.2 - - [20/Aug/2001:05:06:41 -0500] "GET
> >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> >HTTP/1.0" 200 -
> >200.48.188.155 - - [22/Aug/2001:16:36:36 -0500] "GET
> >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> >HTTP/1.0" 200 -
> >195.117.169.40 - - [04/Sep/2001:03:51:49 -0500] "GET
> >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> >HTTP/1.0" 200 -
> >root@www:/var/log/apache#
> >
> >
> >Sweth Chandramouli wrote:
> >>
> >>         This probably isn't appropriate for this list, or at
> >> least is more appropriate for other lists, but I'm tired (and about to
> >> go to sleep now that I've finally confirmed that none of my friends have
> >> been blown up or crushed by falling buildings) and figured the folks here
> >> might be likely to have seen this if anyone has.  So, has anyone seen an
> >> Apache server return a 200 rather than 404 (according to Apache's logs)
> >> in response to an attempted Code Red II exploit?  I've seen a single
> >> occurance of it to date, on a Solaris machine that quite regularly gets
> >> such attempts; all of the log entries for those other attempts (both
> >> before and since) had the proper 404 response code, but this particular
> >> one doesn't:
> >>
> >> ct740592-a.westprt1.ky.home.com - - [11/Sep/2001:12:21:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 - "-" "-"
> >>
> >>         .  I've only tracked down one other example of this
> >> mentioned on the web, at
> >> <http://www.geocrawler.com/lists/3/Debian-Linux/199/25/6335051/>; Ian,
> >> who reported that incident, never figured out what caused it, either.
> >>
> >>         Could anyone who has seen this (or has a good idea of what
> >> it is) email me off-list?
> >>
> >>         Thanks,
> >>
> >>         Sweth.
> >>
> >> --
> >> Sweth Chandramouli ; <svcat_private>
> >> President, Idiopathic Systems Consulting
> >>
> >>   ------------------------------------------------------------------------
> >>    Part 1.2Type: application/pgp-signature
> >
> >--
> >djenkinsat_private                           Universal Savings Bank.
> >Security Administrator, Unix Administrator, Alpha Geek
> >
> >The three most dangerous things are a programmer with a soldering
> >iron, a manager who codes, and a user who gets ideas.
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> >For additional commands, e-mail: loganalysis-helpat_private
> 
> ----------------------------------------------------
> Jonathan Wilson
> System Administrator
> 
> Cedar Creek Software     http://www.cedarcreeksoftware.com
> Central Texas IT     http://www.centraltexasit.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private

-- 
djenkinsat_private                           Universal Savings Bank.
Security Administrator, Unix Administrator, Alpha Geek

The three most dangerous things are a programmer with a soldering
iron, a manager who codes, and a user who gets ideas.

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Marcus J. Ranum: "Re: [logs] Log rotation tools"
Previous message: DeStefano, Paul: "[logs] RE: [loganalysis] Re: why read your logs?"
In reply to: JW: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: borisat_private: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: Sweth Chandramouli: "Re: [logs] 200 return code on Code Red II against Apache?"
Next in thread: Papo Napolitano: "Re: [logs] 200 return code on Code Red II against Apache?"
Reply: borisat_private: "Re: [logs] 200 return code on Code Red II against Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 10:18:09 PDT