Re: [suse-security] Strange HTTP requests
... on the same thread ... are there any known exploits/vulnerabilities for
Apache 1.3.12 running on SuSE?
(The only issue I found on
http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and
just required a minor edit to httpd.conf)
should I upgrade to 1.3.19 anyway?
TIA
Michael
Lars Trebing
On Thu, Jul 19, 2001 at 10:02:17PM +0100, michael.ryan@storm.ie wrote:
... on the same thread ... are there any known exploits/vulnerabilities for Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
It depends on how you have apache configured. Excerpt of the security related entries in the changelog of apache (the changes in 1.3.20 are not relevant on Linux):
Changes with Apache 1.3.19
*) Under certain circumstances, Apache did not supply the right response headers when requiring authentication. [Gertjan van Wingerde
] PR#7114 Changes with Apache 1.3.18 [not released]
*) SECURITY: The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. [Martin Kraemer]
Changes with Apache 1.3.17
*) Normalize the Netware path names to close a potential security hole in comparing paths when the adminstrator specifies both sys:foo and sys:/foo formats in the same httpd.conf file. [Brad Nicholes]
Changes with Apache 1.3.15 [not released]
*) Restore functionality broken by the mod_rewrite security fix: rewrite map lookup keys and default values are now expanded so that the lookup can depend on the requested URI etc. [Tony Finch] PR #6671
Changes with Apache 1.3.13 [not released]
*) Tighten up the syntax checking of Host: headers to fix a security bug in some mass virtual hosting configurations that can allow a remote attacker to retrieve some files on the system that should be inaccessible. [Tony Finch]
*) Fix a security problem that affects some configurations of mod_rewrite. If the result of a RewriteRule is a filename that contains expansion specifiers, especially regexp backreferences $0..$9 and %0..%9, then it may have been possible for an attacker to access any file on the web server. [Tony Finch]
Hope that helps, Peter -- Peter Poeml poeml@suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
this only affects microsoft internet information server (iis) you have nothing to worry about if you are only running apache. On Thu, 19 Jul 2001 michael.ryan@storm.ie wrote:
... on the same thread ... are there any known exploits/vulnerabilities for Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
Lars Trebing
ebing.de> cc: Subject: [suse-security] Strange HTTP requests 07/19/2001 07:46 PM Hello everyone,
My Apache has just got three strange requests from three different addresses:
63.149.209.133 - - [19/Jul/2001:18:55:47 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 209.215.117.8 - - [19/Jul/2001:19:14:28 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 161.184.88.254 - - [19/Jul/2001:19:21:18 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315
Might this perhaps be an attack for a known bug of some HTTP server? Should I maybe even worry about this? (I am running Apache 1.3.12).
By the way, I performed the same request locally and got a 404 error instead of the 400s reported in the log.
TIA, Lars
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
i have this default.ida requests too! but we running apache and roxen server only. what for stupid guys try this IIS exploid on apache or roxen? *rofl* tia, lars s.
-----Original Message----- From: dog@intop.net [mailto:dog@intop.net] Sent: Friday, July 20, 2001 6:08 AM To: michael.ryan@storm.ie Cc: suse-security@suse.com Subject: Re: [suse-security] Strange HTTP requests
this only affects microsoft internet information server (iis) you have nothing to worry about if you are only running apache.
On Thu, 19 Jul 2001 michael.ryan@storm.ie wrote:
... on the same thread ... are there any known
exploits/vulnerabilities for
Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
Lars Trebing
ebing.de> cc: Subject: [suse-security] Strange HTTP requests 07/19/2001 07:46 PM Hello everyone,
My Apache has just got three strange requests from three different addresses:
63.149.209.133 - - [19/Jul/2001:18:55:47 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 209.215.117.8 - - [19/Jul/2001:19:14:28 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 161.184.88.254 - - [19/Jul/2001:19:21:18 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315
Might this perhaps be an attack for a known bug of some HTTP server? Should I maybe even worry about this? (I am running Apache 1.3.12).
By the way, I performed the same request locally and got a 404 error instead of the 400s reported in the log.
TIA, Lars
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Lars Schlimpert wrote:
i have this default.ida requests too! but we running apache and roxen server only. what for stupid guys try this IIS exploid on apache or roxen? *rofl*
tia, lars s.
-----Original Message----- From: dog@intop.net [mailto:dog@intop.net] Sent: Friday, July 20, 2001 6:08 AM To: michael.ryan@storm.ie Cc: suse-security@suse.com Subject: Re: [suse-security] Strange HTTP requests
this only affects microsoft internet information server (iis) you have nothing to worry about if you are only running apache.
On Thu, 19 Jul 2001 michael.ryan@storm.ie wrote:
... on the same thread ... are there any known
exploits/vulnerabilities for
Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated
07-09-2000 and
just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
Lars Trebing
Mailing List
ebing.de> cc: Subject:
[suse-security] Strange HTTP requests
07/19/2001 07:46 PM
Hello everyone,
My Apache has just got three strange requests from three different addresses:
63.149.209.133 - - [19/Jul/2001:18:55:47 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 209.215.117.8 - - [19/Jul/2001:19:14:28 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 161.184.88.254 - - [19/Jul/2001:19:21:18 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315
Might this perhaps be an attack for a known bug of some HTTP server? Should I maybe even worry about this? (I am running Apache 1.3.12).
By the way, I performed the same request locally and got a 404 error instead of the 400s reported in the log.
TIA, Lars
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Its the Code Red Worm, only affects IIS. Details here: http://news.cnet.com/news/0-1003-200-6604515.html Matt
i have this default.ida requests too! what for stupid guys try this IIS exploid on apache or roxen? *rofl* It's a worm ('Code Red'), read BugTraq, it's full of attack-stories. Everyone here should monitor bugtraq, it's a good source of information (http://www.securityfocus.com)
Markus *deleted 100's of full-quoted lines* *AAARGH* maybe some people will learn how to quote some day :( -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
ok, thanks for this information! sorry for this BIG quote... :) thats toughly: "That means any computer on the "randomized" list will be attacked by every newly infected computer. By monitoring who attacks a target machine, a list of attacking--thus infected--computers can be made." lars s.
-----Original Message----- From: Markus Gaugusch [mailto:markus@gaugusch.dhs.org] Sent: Friday, July 20, 2001 8:55 AM To: Lars Schlimpert Cc: suse-security@suse.com Subject: RE: [suse-security] Strange HTTP requests
i have this default.ida requests too! what for stupid guys try this IIS exploid on apache or roxen? *rofl* It's a worm ('Code Red'), read BugTraq, it's full of attack-stories. Everyone here should monitor bugtraq, it's a good source of information (http://www.securityfocus.com)
Markus
*deleted 100's of full-quoted lines* *AAARGH* maybe some people will learn how to quote some day :(
its a worm that generates random ips and does a scan of port 80 on the ip then tries to infect it if it finds a web server. worm doesnt check to see what version of web server is. On Fri, 20 Jul 2001, Lars Schlimpert wrote:
i have this default.ida requests too! but we running apache and roxen server only. what for stupid guys try this IIS exploid on apache or roxen? *rofl*
tia, lars s.
-----Original Message----- From: dog@intop.net [mailto:dog@intop.net] Sent: Friday, July 20, 2001 6:08 AM To: michael.ryan@storm.ie Cc: suse-security@suse.com Subject: Re: [suse-security] Strange HTTP requests
this only affects microsoft internet information server (iis) you have nothing to worry about if you are only running apache.
On Thu, 19 Jul 2001 michael.ryan@storm.ie wrote:
... on the same thread ... are there any known
exploits/vulnerabilities for
Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
Lars Trebing
ebing.de> cc: Subject: [suse-security] Strange HTTP requests 07/19/2001 07:46 PM Hello everyone,
My Apache has just got three strange requests from three different addresses:
63.149.209.133 - - [19/Jul/2001:18:55:47 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 209.215.117.8 - - [19/Jul/2001:19:14:28 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315 161.184.88.254 - - [19/Jul/2001:19:21:18 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 315
Might this perhaps be an attack for a known bug of some HTTP server? Should I maybe even worry about this? (I am running Apache 1.3.12).
By the way, I performed the same request locally and got a 404 error instead of the 400s reported in the log.
TIA, Lars
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
participants (6)
-
dog@intop.net
-
Lars Schlimpert
-
Markus Gaugusch
-
michael.ryan@storm.ie
-
Peter Poeml
-
StarTux