Re[2]: Apache hack attempts

From: Manuel Guesdon (mguesdon+ml@oxymium.net)
Date: 08/11/01


Date: Sat, 11 Aug 2001 13:11:32 +0200 (CEST)
From: Manuel Guesdon <mguesdon+ml@oxymium.net>
Subject: Re[2]: Apache hack attempts
To: focus-linux@lists.securityfocus.com
Message-Id: <20010811111132.E16B4759F4@zen.sbuilders.com>

On Thu, 09 Aug 2001 22:59:29 -0300 (BRT) Daniel Santana <danilex@fastinternet.com.br> wrote:

>|
>| On 09-Aug-2001 Brian Clifton wrote:
>| > Dear All
>| >
>| > I have the following in my RH7.0/Apache 1.3.14 error_log file:
>| >
>| > [Wed Aug 8 06:10:51 2001] [error] [client 212.49.3.120] Invalid URI in
>| > request
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858
>| > %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
>| > %u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
>| >
>| > Is this a brute force attempt to make apache fall over? Am I vunerable
>| > to it - runing as user=apache?? Server is working OK at the moment.
>|
>| This is a CodRed attempt on your server. You're safe since you're using a
>| server that is not IIS, so dismiss this error. I've been probed by infected CR
>| and CR2 machines 50 times a day. My logs are exausted.

Even if you don't use IIS, this can cause 2 problems:
        - filling your disks with logs
        - overcharge (and may be crash) your server if you've redirect Web Server 404 errors to an external process (like a
perl script).

Manuel