Apache log probe?
David A. Bandel
david
Mon May 17 11:55:50 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 19 Nov 2003 17:07:54 -0800
Ken Moffat <kmoffat at drizzle.com> wrote:
> Anyone have a clue.... ?
>
> What is this, from my apache/access.log?
>
> 217.210.77.107 - - [19/Nov/2003:02:07:29 -0800] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
> \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
> xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
> 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
> b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
> \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
>
> [very large SNIP]
>
> x90\x90\x90\x90\x90" 414 337 "-" "-"
>
> This happened twice only this morning.
Somewhere in that very large snip, you should have found something like:
/bin/sh or command.exe or something. This is typical of a buffer
overflow exploit.
Ciao,
David A. Bandel
- --
Focus on the dream, not the competition.
Nemesis Racing Team motto
GPG key autoresponder: mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/vBptj31PLQNUbV4RAr49AJ0ZkV15bZBsIdacy8TEdANoltuLxgCdFtOZ
/dn57tIq9tUwk55DbDo89pc=
=G7SQ
-----END PGP SIGNATURE-----
More information about the Linux-users
mailing list