ietf
[Top] [All Lists]

Re: Code Red II at the IETF meeting

2001-08-07 11:10:03
Patrik Fältström wrote:
--On 08/07/2001 9:21 AM -0400 Bobby Krupczak 
<rdk(_at_)cc(_dot_)gatech(_dot_)edu> wrote:


Well, folks, my packet suckers have shown a Code Red II attack from a machine on the IETF meeting net. It's 217.33.140.38 -- if you have that address, you need to disinfect and patch your machine. For the rest of you, be careful...

Do you always snoop on traffic at IETFs?

Just curious.  Dont read anything else into my question.


You don't have to snoop. Just run a webserver on port 80 on your local host
and look at the virus trying to attack your local laptop.

I run a local apache, and the logs are full of things like these:

217.33.136.83 - - [07/Aug/2001:14:32:44 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271
217.33.24.50 - - [07/Aug/2001:14:36:21 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271

     paf


Well i't my bad luck that I'm missing the meeting perhaps I need to invite all the guys(girls are welcome to) for some beer :)

OK back to subject

Yes I must say I just hate these buggers

SetEnvIf Request_URI \.ida$ bugger
CustomLog logs/bugger_log common env=bugger
CustomLog logs/access_log common env=!bugger
CustomLog logs/error_log common env=!bugger

This would fix so the .ida requests don't get in the usual log but in an own specific log. I havn't had the chance to try this but I don't consider my apache box on the private 192.168.* a subject to the attacks

And for those ppl who hate "scanners" I recomend:
http://www.thinkgeek.com/stuff/things/38df.html

Good luck with the meetings everyone

/John

--
Webgiro AB
---------------------
+46-850640765 Phone
+46-850640701 Fax
+46-733864346 Cellular
RIPE handle: JA4953-RIPE



<Prev in Thread] Current Thread [Next in Thread>