Security Basics mailing list archives
Re: strange logs
From: Dave Dearinger <daved () mdon-line com>
Date: Fri, 09 Jul 2004 11:44:23 -0700
from: http://www.httpsniffer.com/http/100415.htm 10.4.15 414 Request-URI Too LongThe server is refusing to service the request because the Request-URI is longer than the server is willing to interpret. This rare condition is only likely to occur when a client has improperly converted a POST request to a GET request with long query information, when the client has descended into a URI "black hole" of redirection (e.g., a redirected URI prefix that points to a suffix of itself), or when the server is under attack by a client attempting to exploit security holes present in some servers using fixed-length buffers for reading or manipulating the Request-URI.
-Dave Dearinger -Network Administrator -MD-Online Inc. -daved () mdon-line com -1-888-397-3434 =============================Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
At 07:18 PM 7/8/2004 -0400, jpc wrote:
Has anyone seen this error (see below)in the apache log. It appears someone is trying to mess with my server.Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may be twodifferent people I guess. The first ip is using the same provider as I am. My IP was 69.209.152.xxx at the time. This has been happening since the 4th. Any ideas? I googled the error message and couldn't find much. Here is some info on the ip's nmap 69.209.152.51 Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-07-08 15:54 EDT Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net (69.209.152.51): (The 1650 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 113/tcp open auth 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 559/tcp open teedtap 1025/tcp filtered NFS-or-IIS 5000/tcp open UPnP nmap 69.192.139.207 Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-07-08 16:04 EDT Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com (69.192.139.207): (The 1642 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 641/tcp open unknown 665/tcp open unknown 1025/tcp open NFS-or-IIS 1080/tcp filtered socks 1214/tcp open fasttrack 1434/tcp filtered ms-sql-m 3531/tcp open peerenabler 5000/tcp open UPnP I went to the site 69.192.139.207 with my browser and a blank page appeared. There seems to be a web server running on it. So I tried this... telnet 69.192.139.207 80 Trying 69.192.139.207... Connected to 69.192.139.207. Escape character is '^]'. GET index.htm HTTP/1.0 501 Not Implemented X-Kazaa-Username: Babie_Gurl X-Kazaa-Network: KaZaA X-Kazaa-IP: 69.192.139.207:2692 X-Kazaa-SupernodeIP: 69.70.73.172:2215 Who the hell is Babie_Gurl??? :) root@www:/var/log/apache# tail -f error_log | grep -v 'x90' [Thu Jul 8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI too long [Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI too long root@www:/var/log/apache# tail -f error_log | grep -v 'x90' [Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI too long [Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI too long
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- strange logs jpc (Jul 09)
- Re: strange logs Dave Dearinger (Jul 12)
- Re: strange logs flurdoing (Jul 12)
- Re: strange logs David Williams (Jul 13)