[plug] Barbarians at the gate...
James Bromberger
james at rcpt.to
Sun Aug 5 12:05:13 WST 2001
On Sun, Aug 05, 2001 at 11:46:00AM +0800, skribe wrote:
> I'm getting hits on my web server looking for http:///default.ida. From what
> I've read this seems to a buffer overflow exploit for winnt/2000 IIS. It
> seems to be coming from a variety of hosts: iinet to taiwan. Is there
> anything I can do about it? It's becoming annoying.
I think it was said earler; Code Red is a buffer overflow exploit that
makes an HTTP request starting "/default.ida", and then has lots of "NNN"'s
in it. Even if you put an Apache directive in to deny this, then you will
still get a log entry. Indeed, how about:
RedirectPermanent /default.ida http://localhost/i_am_worm_please_sanitise_me
This will change those 404's (not found) into 305 (redirect) or so.
There's not much more you can do, other than pre-parse your log file to remove
the annoying attempts. ;)
FYI:
http://www.time.com/time/columnist/taylor/article/0,9565,169678,00.html
http://slashdot.org/article.pl?sid=01/07/25/1222229
http://www.cert.org/advisories/CA-2001-23.html
http://www.theregister.co.uk/content/4/20719.html
--
James Bromberger <james_AT_rcpt.to> www.rcpt.to/~james
Remainder moved to http://www.rcpt.to/~james/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20010805/c0798a76/attachment.pgp>
More information about the plug
mailing list