From owner-FreeBSD-users-jp@jp.freebsd.org  Thu Aug  2 18:15:40 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id SAA22376;
	Thu, 2 Aug 2001 18:15:40 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from dell.nasuinfo.or.jp (dell.nasuinfo.or.jp [210.230.170.8])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id SAA22371
	for <FreeBSD-users-jp@jp.freebsd.org>; Thu, 2 Aug 2001 18:15:40 +0900 (JST)
	(envelope-from kawachi@nasuinfo.or.jp)
Received: from kawachi.nasuinfo.or.jp ([210.230.170.3])
          by dell.nasuinfo.or.jp (Post.Office MTA v3.1.2J release 205-101-J
          ID# 110-55991U3000L300S0J) with SMTP id AAA308
          for <FreeBSD-users-jp@jp.freebsd.org>;
          Thu, 2 Aug 2001 18:15:39 +0900
Message-Id: <200108020912.AA05110@kawachi.nasuinfo.or.jp>
From: kawachi@nasuinfo.or.jp (kenji kawachi)
Date: Thu, 02 Aug 2001 18:12:03 +0900
To: FreeBSD-users-jp@jp.freebsd.org
In-Reply-To: <20010802020856.20323@mail.ca2.so-net.ne.jp>
MIME-Version: 1.0
X-Mailer: AL-Mail32 Version 1.01
Content-Type: text/plain; charset=iso-2022-jp
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: FreeBSD-users-jp 63396
Subject: [FreeBSD-users-jp 63396] Re: [Q] how can we deny "code red" attack?
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: kawachi@nasuinfo.or.jp

$B2OFb$G$9!#(B

$B:#!"$&$A$bD4$Y$?$i$I$N#W#E#B%5!<%P!<$bF1MM$K$"$j$^$9!#(B
$BB?$$$N$O#3#08D0J>e!#(B

$B#2#0F|$K$b7k9=$"$C$F!"@xIz4|4V$rCV$$$F$^$?#1F|!"#2F|$K$^$?F0$-=P$7(B
$B$F$$$^$9!#(B

$B%3%s%T%e!<%?6[5^BP1~%;%s%?!<$+$iO"Mm$N$H$*$j$G$9!#(B
$BA4$/$I$&$J$C$F$$$k$N$+!#J0$j$r46$8$^$9!#(B
$B3'$G(BGET /default.ida$B$N#I#P$r=P$79g$$$^$9$+!#(B

$B$^$?!"967b$5$l$C$Q$J$7$G$O$J$/!"7^7b%_%5%$%k9=A[$_$?$$$J$b$N$O$J$$$G(B
$B$7$g$&$+!#(B


$B0J2<!"%3%s%T%e!<%?6[5^BP1~%;%s%?!<$+$iO"MmJ8$G$9!#(B


$B3F0L(B

                                                  JPCERT-AT-2001-0017
                                                            JPCERT/CC
                                                           2001-07-30

                  <<< JPCERT/CC Alert 2001-07-30 >>>

               Continued Threat of the "Code Red" Worm


  Microsoft IIS $B$N@H<e@-$r;H$C$FEAGE$9$k%o!<%`(B "Code Red" Worm $B$NEAGE(B
$B3hF0$,(B 8/1($B?e(B) $B8aA0(B 9:00 ($BF|K\;~4V(B) $B$K:F3+$9$k2DG=@-$,$"$j$^$9!#$b$7$^(B
$B$@=$@5MQ$N%Q%C%A$rE,MQ$7$F$$$J$$>l9g$O!";j5^%Q%C%A$rE,MQ$9$k$J$I$NBP=h(B
$B$r9T$J$&$3$H$r$48!F$$/$@$5$$!#(B

  $B>\:Y$O0J2<$N!V4XO"J8=q!W$r$4Mw$/$@$5$$!#(B

[$B4XO"J8=q(B]
  Microsoft IIS $B$N@H<e@-$r;H$C$FEAGE$9$k%o!<%`(B
  http://www.jpcert.or.jp/at/2001/at010014.txt

  Microsoft IIS $B%5!<%P$N@H<e@-$r;H$C$FEAGE$9$k(B Worm $B$K4X$9$kCm0U4-5/(B
  http://www.jpcert.or.jp/at/2001/at010013.txt

  Microsoft IIS Index Server $B$K4^$^$l$k@H<e@-$K4X$9$kCm0U4-5/(B
  http://www.jpcert.or.jp/at/2001/at010010.txt

  CERT Advisory CA-2001-23
  Continued Threat of the "Code Red" Worm
  http://www.cert.org/advisories/CA-2001-23.html

  CERT Advisory CA-2001-19
  "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
  http://www.cert.org/advisories/CA-2001-19.html

  CERT Advisory CA-2001-13
  Buffer Overflow In IIS Indexing Service DLL
  http://www.cert.org/advisories/CA-2001-13.html

  CIAC Bulletin L-117
  The Code Red Worm
  http://www.ciac.org/ciac/bulletins/l-117.shtml

  Microsoft Security Bulletin(MS01-033)
  Index Server ISAPI $B%(%/%9%F%s%7%g%s$NL$%A%'%C%/$N%P%C%U%!$K$h$j(B
                                              Web $B%5!<%P!<$,967b$5$l$k(B
  http://www.microsoft.com/japan/technet/security/prekb.asp?sec_cd=MS01-033


  $B:#2s$N7o$K$D$-$^$7$FEvJ}$^$GDs6!$$$?$@$1$k>pJs$,$4$6$$$^$7$?$i!"$4O"(B
$BMm2<$5$$!#(B

======================================================================
$B%3%s%T%e!<%?6[5^BP1~%;%s%?!<(B (JPCERT/CC)
TEL: 03-5575-7762  FAX: 03-5575-7764
http://www.jpcert.or.jp/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBO2TlXox1ay4slNTtAQFcSgQA1WmUm3kUK/lPBB01kX0idEiVfvuLKsiY
PNt1xV7+9jg2eFzsmACaS6NpLb4AbJlDTbb4e2vPhR5cGIPdO4CIBiw/aKdK2+P1
OZi2mByL8xOJZm8WAw6JyXbakvdZtmFPy5z9bB6gSW/V0UsNSvS4ilbN0XqGBQ1F
mlaSCwkoDB0=
=XNoT
-----END PGP SIGNATURE-----




 >$B!!9BH*$G$9!#(B
 >
 >$B!!2?5$$J$/!"(Bhttpd $B$N%m%0$r8+$F$$$?$i!"$*$+$7$J%(%i!<$,$?$/$5$s$"$j$^$7(B
 >$B$?!#(B
 >
 >a.b.c.d - - [02/Aug/2001:10:29:59 +0900] "GET /default.ida?NNNNNNNNNNNNNNNNNNNN
 >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858
 >%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u
 >53ff%u0078%u0000%u00=a  HTTP/1.0" 400 327 "-" "-"
 >
 >$B!!Ip;N$N>p$1!)$GH/9T85(B IP $B$O1#$7$^$7$?$,!"$3$l0J30$K$b$6$C$H8+$?$@$1$G(B
 > 30 $B0J>e!"$_$s$J$3$N(B GET $B$rH/9T$7$F$$$^$9!#:G8e$NE[$O(B IP $B$b$*$+$7$+$C(B
 >$B$?$N$GD4$Y$F$_$k$H!"F2!9$H%5%$%H$,B8:_$7$F$$$k!"0l$D8+$F$d$m$&!"$H;W$C(B
 >$B$?$i!&!&!&!&$I$3$+$G8+$?$3$H$"$k$J$!!&!&!&$J$s$F!#(B
 >
 >$B!!$*$=$i$/(B code red worm $B$K$d$i$l$?%5%$%HC#$H$K$i$s$@$N$G$9$,$I$&$G$7(B
 >$B$g$&!)#87n#1F|0J9_$KMh$F$k$7!#(B
 >
 >$B!!<B32$OL5$$$N$G$9$,!"%m%0$bHnBg2=$9$k$7!"$a$s$I$/$5$$$N$G!"(B
 >default.ida? $B$G(B GET $B$7$h$&$H$7$F$/$kO"Cf$r%V%m%C%/$7$?$$$H$*$b$&$N$G$9(B
 >$B$,!"$$$$J}K!$C$F$J$$$G$9$+$M!)(B
 >
 >$B!!$h$m$7$/$*4j$$$7$^$9!#(B
 >
 >$B!!$G$o(B
 >
 >
 >     "..loaded on the road.."
 >  $B9BH*(B  $B9M;K(B : mizohata takashi

