On Friday 20 July 2001 03:15 pm, Mike Blancas wrote:
> Josh Chamas sure have fooled them =).
>
> On Fri, 20 Jul 2001, Orlando Andico wrote:
> > This is funny. This morning I saw a bunch of attempts to get a very long
> > fake URL on tara, getting "default.ida?NNNNN...." (lots of N's, see the
> > access_log on tara). An obvious buffer overrun attack.
> >
> > http://www.eeye.com/html/Research/Advisories/AL20010717.html
> >
> > I just read the above URL now. I guess the worm thought tara was an NT.2k
> > IIS5 machine. Instead all it got was 404s. =)
The worm actually attacks without detecting what web server is present. So
even if it's Apache, AOLserver, Mathopd, or what have you, it connects and
then dumps the string.
So theoritically, running netcat to listen on port 80 then redirecting to a
file should give you the source.
But maybe not now since the code is suppose to stop already and just attack
an IP from the www.whitehouse.gov pool. Coder messed up though, coz he
hardcoded the ip address of www1.whitehouse.gov. So the admin just refused
that ip and saved a little more embarassment for Microsoft. =)
--
Deds Castillo
Infiniteinfo Philippines
http://www.infiniteinfo.com
Hiroshima '45, Chernobyl '86, Windows '95
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
