From: Steven L. Brendtro (sbrendtro@home.com)
Date: 08/08/01

Next message: mike neuliep: "Re: Code Red (II) Question"
Previous message: Don Erickson: "Re: Code Red (II) Question"
Next in thread: Mike Coleman: "Re: Odd Apache Log Entry... Code red?"
Reply: Mike Coleman: "Re: Odd Apache Log Entry... Code red?"
Reply: mrkshrt@transparentsolutions.com: "RE: Odd Apache Log Entry... Code red?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

From: "Steven L. Brendtro" <sbrendtro@home.com>
Subject: Odd Apache Log Entry... Code red?
Date: Wed, 8 Aug 2001 22:48:31 -0500
Message-ID: <ECELJBEDJNBKJAFCILGJMENECAAA.sbrendtro@home.com>

Hello all,

After browsing my apache logs for a development box, I found SEVERAL Code
Red requests "GET default.ida?...". I moved my port from 80 to 8081 so I
won't get flooded all the time.

Now how about this one... there are several log entries that start with:
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe... - 404"
followed by several hundred lines of binary looking garbage:
";øv‰FÈ‹NÈ+Á‰E"

I read somewhere that the cmd.exe is part of Code Red's attack. Does anyone
know what exactly is all the binary garbage I am getting in my log files?

Thanks,
Steve B.

PS I will be glad when code red is gone and we can talk about Linux on
Mainframes again :)

--------------3BCA12B7BACEA9712BA21397

Next message: mike neuliep: "Re: Code Red (II) Question"
Previous message: Don Erickson: "Re: Code Red (II) Question"
Next in thread: Mike Coleman: "Re: Odd Apache Log Entry... Code red?"
Reply: Mike Coleman: "Re: Odd Apache Log Entry... Code red?"
Reply: mrkshrt@transparentsolutions.com: "RE: Odd Apache Log Entry... Code red?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]