[TCLUG] Lots of denied packets. Port 80

Fri Jul 20 13:41:47 CDT 2001

When are people going to stop using built-in and/or static arrays in network
daemons?  Haven't we seen enough array overrun attacks?  Every one of them
could have been prevented by simple coding practices.  For example, using a
string class!  I stopped using built-in and static arrays years ago and I
don't even write network daemons.  I stopped using them simply because they
are a proven source of bugs, bugs, bugs, nasty bugs.  Am I insane?

Mike
----- Original Message -----
From: <ming at mongo.evil-overlords.com>
To: <tclug-list at mn-linux.org>
Sent: Thursday, July 19, 2001 10:58 PM
Subject: Re: Re: [TCLUG] Lots of denied packets. Port 80

> Well I have only about 20 requests so far but they come from all over the
place
> some from europe some from asia some from very well known us
sites(bellsouth,
> ohio university, juno). By the way....very nice article.
>
> Jason
> >andy at theasis.com wrote:
> >>
> >> > > Just a worm looking for copies of IIS and hoping to exploit a
buffer
> >> > > overflow.  The requests start off with "GET /default.ida?NNNN..."
and
> >> > > are too large to be anything but a buffer overflow attempt.
> >> > >
> >> > > The only article I've been able to find about the worm is at
> >> > > http://www.newsbytes.com/news/01/168003.html?&_ref=923747745
> >> >
> >> > http://www.securityfocus.com/templates/headline.html?id=12004
> >>
> >> http://www.msnbc.com/news/602036.asp?cp1=1
> >
> >And of course last but not least a real in depth technical explination
> >of what codered is, what it does, and how it spreads instead of
> >newsflash fluff. ;P
> >
> >http://www.eeye.com/html/Research/Advisories/AL20010717.html
> >
> >Cute. Whoever wrote it knew their win32. The stuff in the GET line is
> >just a boostrap, the real worm code is in the rest of the HTTP request,
> >and thus not logged. I've written me a CGI to grab the complete virus
> >next time I get hit. Heh.
> >
> >I've gotten 21 attempts so far.
> >_______________________________________________
> >tclug-list mailing list
> >tclug-list at mn-linux.org
> >https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
>