| View previous topic :: View next topic |
| Author |
Message |
JuNix
Apprentice
Joined: 05 Mar 2003
Posts: 226
Location: Sheffield
|
 Posted: Tue Jan 29, 2008 9:28 am Post subject: Curious apache access.log entry |
 |
|
I don't know what to make of this. A hacking attempt, no doubt, but they didn't get very far
| Code: | | 82.165.182.205 - - [23/Jan/2008:21:30:57 +0000] "POST /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shells HTTP/1.1" 404 612 |
Does some sort of buffer overflow vulnerability exist with Apache, I can't find it mentioned anywhere? |
|
| Back to top |
|
 |
downer
Tux's lil' helper
Joined: 20 Sep 2007
Posts: 120
Location: sweden
|
| Posted: Tue Jan 29, 2008 9:56 am Post subject: |
|
|
I got something similar about a week ago:
| Code: | access.log.1:86.124.229.21 - - [21/Jan/2008:19:07:21 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\*snip* |
and so on for pages, ending with:
| Code: | *snip*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 367 "-" "-"
|
didnt seem to bother my apache.
//D
_________________
HP dv6500 (dv6501eo) Laptop and Dell Latitude E6420 work puter;
both running Gentoo x86_64 quite successfully. |
|
| Back to top |
|
|
di1bert
l33t
Joined: 16 May 2002
Posts: 963
Location: Oslo, Norway
|
| Posted: Tue Jan 29, 2008 10:13 am Post subject: |
|
|
It's shell code of some sort. I get it every now and again on my servers. I think it's mostly aimed
at IIS servers.
Just make sure you're up to date with your GLSA stuff and you should be alright.
| Code: |
glsa-check -l affected -n | mail "Security Updates" you@yourdomain.com
|
-m |
|
| Back to top |
|
|
JuNix
Apprentice
Joined: 05 Mar 2003
Posts: 226
Location: Sheffield
|
| Posted: Tue Jan 29, 2008 12:17 pm Post subject: |
|
|
| It didn't bother my apache, but it was a definite attempt to look in /etc/shells - not an IIS attack in this case. I wonder if it's a new vulnerability? |
|
| Back to top |
|
|
downer
Tux's lil' helper
Joined: 20 Sep 2007
Posts: 120
Location: sweden
|
| Posted: Tue Jan 29, 2008 12:20 pm Post subject: |
|
|
If it's in the hands of the dreaded script kiddies I'd say it's quite old 
//D
_________________
HP dv6500 (dv6501eo) Laptop and Dell Latitude E6420 work puter;
both running Gentoo x86_64 quite successfully. |
|
| Back to top |
|
|
|
Networking & Security
