RE:overflow(?) HTTP intrusion in progress
From: C (f0cks@herself.co.uk)Date: 07/23/01
- Previous message: Ken Pfeil: "RE: Port scanning"
- Maybe in reply to: Scott Lawton: "overflow(?) HTTP intrusion in progress"
- Next in thread: Rodelio_Finones@support.trendmicro.com: "RE: overflow(?) HTTP intrusion in progress"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <008301c11316$c148da70$0100000a@home.local> From: "C" <f0cks@herself.co.uk> To: <security-basics@securityfocus.com> Subject: RE:overflow(?) HTTP intrusion in progress Date: Mon, 23 Jul 2001 02:28:18 +0100
The activity u are seeing in ur log files is from the code red worm. i would
sagest u look at the threads in the group concerning this. I would not worry
though because ur server is not venerable
Andy Edwards
----- Original Message -----
From: "Scott Lawton" <scott_bulkmail@prefab.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, July 19, 2001 11:00 PM
Subject: overflow(?) HTTP intrusion in progress
> Hi. I'm new to the list, and relatively new to security issues -- though
I'm familiar with simple whois stuff (e.g. for tracing spam) and have read
thru some of the recent messages here.
>
> My Webserver has been receiving what appear to be intrusion attempts all
afternoon. It started out about 2 per hour, but I've just received 5 in the
last 45 minutes. The HTTP error is a simple
> File not found: /default.ida
>
> I log the fields from every HTTP request that gives an error.
>
> first line: "default.ida?" followed by over 200 "N" chars followed by 2
dozen unicode chars (at least I think that's what they are, e.g. "%u9090")
>
> The full request starts like this:
>
> HTTP/1.0
> Content-type: text/xml
> HOST:www.worm.com
> Accept: */*
> Content-length: 3569
>
> followed by what appear to be garbage chars (a binary "file" of some
sort?).
>
> I would guess that "worm.com" a bit of black humor on their part?
>
> Incidentally, the "host" field that usually would appear in a web log
doesn't seem to be there at all. (In fact, that initially masked the
problem until I fixed my logging routine.)
>
> ...
>
> Every request came from a different IP address. I've looked many of them
up so far; no pattern: USA, Sweden, China, Korea; the US ones are well-known
ISPs; for those that trace to an individual company, the company at least
looks legit.
>
> The good news for me is that I'm running an obscure Webserver -- and on a
Mac. I guess the bad news is that I won't be able to run some of the
diagnostic tools that you might otherwise suggest.
>
> Other data: I'm running on a DSL line, behind an inexpensive firewall (a
little box that has NAT and DHCP).
>
> ...
>
> Any guess as to whether the IP addresses are spoofed vs. being
"highjacked"? If the latter, I'd at least like to notify the various admins
that they may have been compromised.
>
> I tried searching Google and such for more info, but there aren't many
keywords in the request so I don't have much to go on.
>
> Any and all suggestions welcome.
>
> thanks in advance,
>
> Scott
>
>
>
>
- Previous message: Ken Pfeil: "RE: Port scanning"
- Maybe in reply to: Scott Lawton: "overflow(?) HTTP intrusion in progress"
- Next in thread: Rodelio_Finones@support.trendmicro.com: "RE: overflow(?) HTTP intrusion in progress"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
