It's a worm called Code Red, spreading thru IIS-servers. Nothing
you have to worry about if you're only running Apache.
We dont, so we should have worried yesterday. =)
There are info on cert.org, eeya.com and probably /. and
so on..
I've seen 100 of this on one server, around 70
on another. Plus the IIS we got infected (not
my area =)).
> -----Original Message-----
> From: Brian Rectanus [mailto:brectanu@vt.edu]
> Sent: den 19 juli 2001 23:17
> To: debian-security@lists.debian.org
> Subject: CGI Buffer Overflow?
>
>
> Anyone seen this before? I have looked around for similar
> attacks, but
> cannot find any info. I assume that is a unicode string
> padded out with
> Ns. How would I go about finding out what is in the string?
>
>
> xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd
> 3%u7801%u9
> 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
> b%u53ff%u0
> 078%u0000%u00=a HTTP/1.0" 400 328
>
>
> --Brian
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/