Hi got this in my access log of an apache: 213.47.46.45 - - [18/May/2005:17:17:06 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 [...snipping most of it...]\x90\x90\x90" 414 348 Dr Google doesn't know anything bout it. Any ideas what sort of attack this is? Thanks Philipp
Philipp Snizek wrote:
Hi
got this in my access log of an apache:
213.47.46.45 - - [18/May/2005:17:17:06 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 [...snipping most of it...]\x90\x90\x90" 414 348
Dr Google doesn't know anything bout it.
http://www.google.com/search?q=error_log+SEARCH+/%5Cx90&hl=en&lr=&start=10&sa=N
Any ideas what sort of attack this is?
http://www.cert.org/advisories/CA-2003-09.html cheers, Rainer
Philipp, On Wednesday 01 June 2005 09:23, Philipp Snizek wrote:
Hi
got this in my access log of an apache:
213.47.46.45 - - [18/May/2005:17:17:06 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 ... [...snipping most of it...]\x90\x90\x90" 414 348
Some sort. It's an attempt to exploit a buffer overflow vulnerability. If your Apache is up-to-date, you're immune to the attack. It may not even be an Apache attack (it could target IIS, e.g.). The worst you'll experience is log file cruft.
Dr Google doesn't know anything bout it.
Any ideas what sort of attack this is?
Thanks Philipp
Randall Schulz
On Wednesday 01 June 2005 18.23, Philipp Snizek wrote:
/\x90\x02\xb1\
My first hit on google with the search string "/\x90\x02\xb1\" gave: http://www.webmasterworld.com/forum39/2173.htm where it states: It's the IIS WebDAV exploit: http://edgeos.com/threats/details.php?id=11413 http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP! -- /Rikard " Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." -R. Stallman --------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Mob : +46 763 19 76 25 PGP : 0x461CEE56 ---------------------------------------------------------------
On Wed, Jun 01, 2005 at 09:32:26AM -0700, Randall R Schulz wrote:
Philipp,
On Wednesday 01 June 2005 09:23, Philipp Snizek wrote:
Hi
got this in my access log of an apache:
213.47.46.45 - - [18/May/2005:17:17:06 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
Heh, good ol Hex.
It's an attempt to exploit a buffer overflow vulnerability. If your Apache is up-to-date, you're immune to the attack.
Not true. If it's a 0-day updated Apache won't save you.
Dr Google doesn't know anything bout it.
Any ideas what sort of attack this is?
I'm going to agree with Randal here though that it appears to be an buffer overflow. I just woke up though so I'm not going to sit and do all this in my head to see what it's attempting.
Thanks Philipp
Randall Schulz
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (5)
-
Allen
-
Philipp Snizek
-
Rainer Duffner
-
Randall R Schulz
-
Rikard Johnels