Ramesh,
My advice is if you are running Apache on a Windows machine, you should
install the patch from Microsoft anyway. The security loophole is not in IIS
but instead in a service that IIS exposes to the internet. In the early days
of August, Microsoft's web site talked about the security loophole in
detail. Now, Microsoft appears to be taking a higher level approach and has
updated their web site page. I think the new one is easier to read:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/topics/codealrt.asp
You can also read about the Code Red virus at http://www.mcafee.com.
Briefly, the Code Red virus attacks only Microsoft Windows machines. It
takes advantage of a security loophole by overrunning a buffer when IIS
automatically runs the program that is associated with *.IDA files. Perl is
not at all involved with this unless you have changed the file association
for *.IDA files to run Perl.
If you have a Microsoft Windows machine running IIS, you may be vulnerable
to the attack. There are a number of ways to determine if your machine is
vulnerable including downloading and running a program that will check your
IP address. You will find these descriptions and more at the web sites
mentioned above.
I hope this helps.
Richard
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chandra
Ramesh
Sent: Friday, August 24, 2001 6:13 AM
To: Shawn; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Active Perl vulnerable to hacker attempt?
Hello,
Though that only IIS 5.0 and above was vulnerable to Code red II.
Is Apache also affected by this?
Regards,
Ramesh Chandra
-----Original Message-----
From: Shawn [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 3:39 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Active Perl vulnerable to hacker attempt?
This is the great and mighty Code Red II virus in action... And the answer
to your question in this case is no. I am sure there is some backdoor that
has yet to be discovered, but this isn't it...
At one point aroun the begining of August, our servers were getting hit by
2-3 of those a second...
Shawn
----- Original Message -----
From: "Gisle Askestad" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 24, 2001 5:03 AM
Subject: Active Perl vulnerable to hacker attempt?
>
> Hello group
>
> I'm runing Apache 1.3.20 and ActivePerl-5.6.0.616 and ActivePerl-5.6.0.628
(command line).
> I frequently get request like this:
>
> Server Access Logg:
> 195.173.20.3 - - [22/Aug/2001:19:08:12 +0200] "GET /default.ida?
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
>
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
> u0000%u00=a HTTP/1.0" 200 706
>
> I'm not sure wheather this is a hacker attemt or not, to be honest, i'm
not sure what this is at all.
> My question is whether something like this can activate Perl command line
and
> in any way access scripts on the server?
>
> Regards
>
> G. Askestad
> [EMAIL PROTECTED]
>
> _______________________________________________
> ActivePerl mailing list
> [EMAIL PROTECTED]
> http://listserv.ActiveState.com/mailman/listinfo/activeperl
>
>
_______________________________________________
ActivePerl mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/activeperl
_______________________________________________
ActivePerl mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/activeperl
