i saw these entries in my weblog anything i can do against this 61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 202.5.152.215 - - [12/Mar/2002:12:01:15 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 146.155.10.241 - - [12/Mar/2002:12:50:04 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 212.205.99.248 - - [12/Mar/2002:13:07:02 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331
On Tue, Mar 12, 2002 at 06:19:04PM -0500, Landy Roman wrote:
i saw these entries in my weblog anything i can do against this
[snip]
You are being attacked by a Code Red infected Windows server. Since you are running Apache, you are immune, except to the bandwidth and CPU waste. If it is a persistant problem from the same server, you can track down the owner and let them know to patch or take their server offline. If you want to be a vigilante, I vaguely remember a perl script that someone wrote to shutdown their server, but that may be kind of drastic :) Regards, Keith -- LPIC-2, MSCE, N+ you may say I'm a dreamer, but I'm not the only one Got spam? Get SPASTIC http://spastic.sourceforge.net
On Tue, 12 Mar 2002 18:39:26 -0500
Keith Winston
On Tue, Mar 12, 2002 at 06:19:04PM -0500, Landy Roman wrote:
i saw these entries in my weblog anything i can do against this
[snip]
You are being attacked by a Code Red infected Windows server. Since you are running Apache, you are immune, except to the bandwidth and CPU waste. If it is a persistant problem from the same server, you can track down the owner and let them know to patch or take their server offline.
i just read that in order to deal with the cpu waste one can create a empty file default.ida in the root server....FYI
This is the Code Red / Nimda attack signatures. You can just ignore them since you are not at risk. I know, they really clutter up the logs though. I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?) Jim 03/12/02 05:19:04 PM, Landy Romanwrote: > >i saw these entries in my weblog anything i can do against this > > > >61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 >-0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/_mem_bin/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1% 1c../winnt >/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:21 -0500] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >202.5.152.215 - - [12/Mar/2002:12:01:15 -0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 146.155.10.241 - - [12/Mar/2002:12:50:04 >-0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 212.205.99.248 - - [12/Mar/2002:13:07:02 >-0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 > >-- >To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com >For additional commands send e-mail to suse-linux-e-help@suse.com >Also check the FAQ at http://www.suse.com/support/faq and the >archives at http://lists.suse.com > >
On Wednesday 13 March 2002 00:46, James Bliss wrote:
This is the Code Red / Nimda attack signatures. You can just ignore them
I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)
I did this, but that was to *move* them to a different log. Easily adaptable to just ignore: In /etc/http/httpd.conf around line 700: SetEnvIf Request_URI "root.exe" bad_req SetEnvIf Request_URI "cmd.exe" bad_req SetEnvIf Request_URI "default.ida" bad_req Which tells apache to lookout for those kinds of requests, and set the variable bad_req around line 740: CustomLog /var/log/httpd/access_log common env=!bad_req CustomLog /var/log/httpd/bad_requests "%h %t \"%r\"" env=bad_req Which tells apache to log everything BUT (env=!bad_req) as usual in access_log. And everything (=bad_req) to the file bad_requests in the format of: HOST-IP [time] "bad-string" I put the stuff where I put it, because I'm no apache-wizard, but it seemed about right. It can't be all wrong, 'cause it works very nicely :) If you don't care to log these attacks, then just adding the "env=!bad_req" to the regular log-line should suffice, but you still have to set up that variable (obviously) In my case I let the two logs run run side-by-side for a while, before adding that statement to the access_log-line, just to be sure that I didn't lose anything. If anyone sees something terribly wrong with this setup, please let me know ;) Jon
On Wednesday 13 March 2002 00.46, James Bliss wrote:
This is the Code Red / Nimda attack signatures. You can just ignore them since you are not at risk. I know, they really clutter up the logs though.
I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)
This is included in SuSE's official 2.4.16 kernel. Don't know about 2.4.10 iptables -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --dport 80 --string "default.ida" (Adjust the string to suit other virus patterns). This will drop the attempt at the firewall level, before it ever gets to your apache. //Anders
On Wed, 13 Mar 2002 08:20:18 +0100
Anders Johansson
On Wednesday 13 March 2002 00.46, James Bliss wrote:
This is the Code Red / Nimda attack signatures. You can just ignore them since you are not at risk. I know, they really clutter up the logs though.
I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)
This is included in SuSE's official 2.4.16 kernel. Don't know about 2.4.10
iptables -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --dport 80 --string "default.ida"
(Adjust the string to suit other virus patterns). This will drop the attempt at the firewall level, before it ever gets to your apache.
//Anders
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
any idea why the return code was 400 and not 404?
BTW nobody commented on these? u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?
Yeah. We did ;) This is nimda:
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476
<snipped some> Nimda comes in 'bursts' of 16 requests. 2 of these are for 'bladabla/root.exe' 14 are for 'bladabla/cmd.exe'. I'm currently working on a perl script, that will read the separate 'bad_requests' log, categorize the different attacks (+times and IP numbers) and stuff that info into a MySQL database. Later I want to expand that whole thing to make/keep an updated 'blacklist' of 'Bad Hosts'. In the fullness of time this data is going to serve two purposes: 1: Any host on the blacklist will be denied any access to this server. Except for _legitimate_ browser-requests, which will be met with just one page explaining *why* access is denied, plus a, dynamically generated, summary of attacks originating from that host. 2: It will be made public, in the form of a summary of the number of attacks, and the times of occurance. Probably tons of similar apps are already out there, but it's a learning experience for me to write this stuff up. ;) Also I've seen a lot of rpc and printer (among others) connection attempts in the firewall log, lately, and as soon as I figure out how to get that stuff logged on the main server, that stuff is going into the Bad Hosts database as well. With the same response as mentioned above. FYI *this* is code red: 61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331
any idea why the return code was 400 and not 404?
Apache decided that these were bad requests, instead of simply 'not there' (?) What makes Apache respond with 401 (Authentication required) on *some* of this, though, is beyond me... Oh yeah. This is a very small site with not much traffic, so we can afford the overhead of all this processing... ;)
On Wednesday 13 March 2002 16.54, Jon Clausen wrote:
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
Did anyone else have problems with the last two mails in this thread from Landy Roman, and the one from Jon Clausen? They completely blocked my popper. It simply refused to read the mail. Both the list mail and the one that was cc:ed to me. I even tried starting imapd. It read the mail before these, and the mail after, but these mail it simply refused to read. However, when I copied the mbox file to my *local* /var/spool/mail/ and let kmail get it from there, it read them perfectly. I'm baffled! Did anyone else see this? //Anders
On Wed, Mar 13, 2002 at 07:54:52PM +0100, Anders Johansson wrote:
On Wednesday 13 March 2002 16.54, Jon Clausen wrote:
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
Did anyone else have problems with the last two mails in this thread from Landy Roman, and the one from Jon Clausen?
They appeared to come though fine on my machine. Regards, Keith -- LPIC-2, MSCE, N+ you may say I'm a dreamer, but I'm not the only one Got spam? Get SPASTIC http://spastic.sourceforge.net
On Wednesday 13 March 2002 19:54, Anders Johansson wrote:
On Wednesday 13 March 2002 16.54, Jon Clausen wrote:
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
Did anyone else have problems with the last two mails in this thread from Landy Roman, and the one from Jon Clausen?
They completely blocked my popper. It simply refused to read the mail. Both the list mail and the one that was cc:ed to me. I even tried starting imapd. It read the mail before these, and the mail after, but these mail it simply refused to read.
However, when I copied the mbox file to my *local* /var/spool/mail/ and let kmail get it from there, it read them perfectly.
I'm baffled! Did anyone else see this?
Trying to reproduce the situation. I had no problems with any of the mesgs in question... I don't what to make of this at all. As far as I can tell the header were all fine. Call me clueless :( Jon
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
How's this? (Yet another Attempt at Reproducing Anders' mail problem)
On Wednesday 13 March 2002 21.13, Jon Clausen wrote:
How's this? (Yet another Attempt at Reproducing Anders' mail problem)
Yes, this reproduced the problem. popper and imapd *refuses* to read the mail. Are they susceptible to code red? :) I don't get it. I cannot see anything wrong with these mails, and kmail - when reading straight from a file - reads them without problems. Is there anyone else out there using popper and/or imapd (not cyrus, the one in imapd.rpm) that sees this problem too? //Anders
On Wednesday 13 March 2002 21:19, Anders Johansson wrote:
On Wednesday 13 March 2002 21.13, Jon Clausen wrote:
How's this? (Yet another Attempt at Reproducing Anders' mail problem)
Yes, this reproduced the problem. popper and imapd *refuses* to read the mail.
Are they susceptible to code red? :) I don't get it. I cannot see anything wrong with these mails, and kmail - when reading straight from a file - reads them without problems.
Is there anyone else out there using popper and/or imapd (not cyrus, the one in imapd.rpm) that sees this problem too?
This is getting to be really strange... The part where kmail will read it from a file with no problem, but refuses to have anything to do with it, if it's in the spool... What's (or rather: is *that*) the difference? Look out Anders! I'm gonna send you a mail off-list containing the codered-string, as seen in Landy's mail... Just to try and narrow it down a bit. (to see if it has anything to do with the stuff passing thru the list...)
On Wednesday 13 March 2002 21.36, Jon Clausen wrote:
This is getting to be really strange... The part where kmail will read it from a file with no problem, but refuses to have anything to do with it, if it's in the spool... What's (or rather: is *that*) the difference?
I think I may have found something, but I would really love to know if other qpopper users see the problem as well. I redirected Landy's mail to a remailer I have, that forwards all mail back to me, just to get the message back into my mailbox. I then tried to pop it. When popper was hanging I did an strace on it and saw it was hanging on a read(). lsof showed the file position at 2628, which was the end of the mail. However, looking at kmail's debug output I saw that qpopper reported message length as 2633, 5 bytes longer than the actual mail. That appears to be why popper's hanging. It's trying to read beyond end-of-file (or end of message, if there are other messages behind it in the file). Something in that mail appears to be screwing with qpopper's calculation of the length of the message. //Anders
On Wed, Mar 13, 2002 at 09:13:02PM +0100, Jon Clausen beat on the keyboard:
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
How's this? (Yet another Attempt at Reproducing Anders' mail problem)
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com That is someone infected with virus. If you use a smbclient you can log onto the machine 50% percent of the time :)
-- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."
This is code red or one of its variants. Since you aren't running Microsoft IIS you are immune to it. Ewan On Fri, 2002-03-15 at 15:13, Robert Sweet wrote:
On Wed, Mar 13, 2002 at 09:13:02PM +0100, Jon Clausen beat on the keyboard:
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
How's this? (Yet another Attempt at Reproducing Anders' mail problem)
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com That is someone infected with virus. If you use a smbclient you can log onto the machine 50% percent of the time :)
-- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
** On Tue, 12 Mar 2002 18:19:04 -0500 (EST) Landy Roman
participants (8)
-
Anders Johansson
-
Ewan Leith
-
James Bliss
-
jfweber@bellsouth.net
-
Jon Clausen
-
Keith Winston
-
Landy Roman
-
Robert Sweet