Results 1 to 3 of 3

Thread: apache logfile weirdness

  1. #1

    Question apache logfile weirdness

    I installed apache about a month ago and im getting these weird requests for the file /default.ida. It goes kinda like this:

    x.x.x.x [date] "GET /default.ida?XXX[LOTS_of_'x's]XXX%u9090%u6858%ucbd3%u7801%u and then that %u... repeats sometimes with different numbers, sometimes the same. It ends with a %u=a HTTP/1.0"

    I see this from many different IPs. I telneted myself and did the same thing but nothing came back. I checked out one of the guys that did this (he had like a dozen ports open), loaded his webpage and it was some 31337 dud3 who hates the government. Is this some kind of exploit that doesnt work? One more question, i port scan myself, but i cant find the logs anywhere! Is the stealth mode really good, or am i looking in the wrong place? thanks guys
    Ryan

  2. #2
    Junior Member
    Join Date
    Sep 2001
    Posts
    10

    Red face Code Red

    Hi

    The log is from code red (1 or 2), it uses the IIS ida vulnerability to access remote machines and copy its self over. perfectly harmless to apache. The only pain is it fills the log, and that compromised computers usualy only scan the same IP ranges as
    its currently using.

    e.g 212.67.31.7 would scan 212.67.*.*

    all the X's are the padding for the buffer overflow, and the numbers the acual code.


  3. #3
    Contact your ISP and e-mail them the log. If you're like me, and on Road Runner, it gets annoying when your log files are splattered with that garbage. Also, I have taken the step to net send the IPs that I get in hopes that the user will know what's going on and fix the problem.
    E-Mailing the ISP with the log will help them to better track down who is still infected.
    Jason Parker - http://www.o-negative.net
    o-Negative: Information Network

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •