[NCLUG] Apache Seg Faults
Rich Blinne
richblinne at hotmail.com
Tue Sep 18 18:01:12 MDT 2001
This looks like the Unicode exploit attack on (surprise, surprise) IIS.
(The character between the ..'s are Unicode characters) It's the nimda
worm. Apache is doing fine.
> -----Original Message-----
> From: nclug-admin at nclug.org [mailto:nclug-admin at nclug.org] On Behalf
Of
> Jeff Moe
> Sent: Tuesday, September 18, 2001 3:35 PM
> To: nclug at nclug.org
> Subject: Re: [NCLUG] Apache Seg Faults
>
> I see that it is only happening to /one/ of my virtual hosts, which is
why
> I
> wasn't seeing it every time I got hit. It looks like I'm getting less
hits
> now--it appears FRII's port blocking is working.
>
> Apparently it's happening when one of these two files is requested
(more
> likely the 2nd one):
> /scripts/..Á../winnt/system32/cmd.exe
> /scripts/..À¯../winnt/system32/cmd.exe
>
> What is less-than-common about this particular virtual host? A few
things:
> 1) It doesn't log IP addresses. It uses this for logging:
> LogFormat "noip - - %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %T
> %V" noip
> CustomLog /log/access_log noip
>
> 2) It redirects 404s:
> ErrorDocument 404 /en/404.htm
>
> 3) It has 32 "Redirect permanent" lines. This is due to the site
> originally
> being in English, then getting translated into multiple languages. So
the
> English site got moved to an /en/ directory instead of root.
>
> I have other sites that are doing the all of the above that aren't
> affected
> though.
>
> Other relevant info:
> 1) Options ExecCGI Includes FollowSymLinks
>
> 2) It's running KRUD 7.1 (RedHat based distro). libunicode is
installed,
> fwiw.
>
> Thanks!
>
> -Jeff
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list