Re[2]: Apache hack attempts

From: Manuel Guesdon (mguesdon+ml@oxymium.net)
Date: 08/11/01


Date: Sat, 11 Aug 2001 13:11:32 +0200 (CEST)
From: Manuel Guesdon <mguesdon+ml@oxymium.net>
Subject: Re[2]: Apache hack attempts
To: focus-linux@lists.securityfocus.com
Message-Id: <20010811111132.E16B4759F4@zen.sbuilders.com>

On Thu, 09 Aug 2001 22:59:29 -0300 (BRT) Daniel Santana <danilex@fastinternet.com.br> wrote:

>|
>| On 09-Aug-2001 Brian Clifton wrote:
>| > Dear All
>| >
>| > I have the following in my RH7.0/Apache 1.3.14 error_log file:
>| >
>| > [Wed Aug 8 06:10:51 2001] [error] [client 212.49.3.120] Invalid URI in
>| > request
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>| > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858
>| > %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
>| > %u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
>| >
>| > Is this a brute force attempt to make apache fall over? Am I vunerable
>| > to it - runing as user=apache?? Server is working OK at the moment.
>|
>| This is a CodRed attempt on your server. You're safe since you're using a
>| server that is not IIS, so dismiss this error. I've been probed by infected CR
>| and CR2 machines 50 times a day. My logs are exausted.

Even if you don't use IIS, this can cause 2 problems:
        - filling your disks with logs
        - overcharge (and may be crash) your server if you've redirect Web Server 404 errors to an external process (like a
perl script).

Manuel



Relevant Pages

  • RE: Apache hack attempts
    ... Subject: Apache hack attempts ... > Is this a brute force attempt to make apache fall over? ... This is a CodRed attempt on your server. ...
    (Focus-Linux)
  • RE: Apache hack attempts
    ... Subject: Apache hack attempts ... > Its A IIS worm, Does not affect anything that has to do with apache. ... > hope all your admins are not like you. ... Cuckfield House, High Street, Cuckfield, West Sussex RH17 5EL ...
    (Focus-Linux)
  • Apache hack attempts
    ... Subject: Apache hack attempts ... Is this a brute force attempt to make apache fall over? ... Is this someone looking for the Code Red vunerability of IIS?? ... Cuckfield House, High Street, Cuckfield, West Sussex RH17 5EL ...
    (Focus-Linux)