Security Basics mailing list archives
Re: strange logs
From: David Williams <david () mirvale com au>
Date: Tue, 13 Jul 2004 09:14:37 +1000
flurdoing wrote:
In the future you can use iptables with "string match" to block in/out some of the ugly char requestsI believe the log you posted illustrates attempts to exploit a buffer overflow exploit in Core MS Windows DLL (CA-2003-09). It is likely a worm operating without the knowledge of the user behind the IP in question. You can probably alert them over the Kazaa Network ;) The bug does not effect Apache, only IIS, thus you should not be too alarmed. However, be advised that I'm only making educated guesses as you did not include the actual page request that the user made. Based on your 'grep' i'm assuming that it is an ugly 32,000 char long requeststarting with "SEARCH /\x90\x02" etc.As for the two IPs belonging to the same person, one must ask whether the segment is generally statically or dynamically assigned by the ISP. Also it'd be a good idea to frame your logs with timestamps such that you can determine whether or not an IP change in the event of a dynamic IP is feasible. Hope that helped, flurdoing. On Thu, 2004-07-08 at 19:18, jpc wrote:Has anyone seen this error (see below)in the apache log. It appears someone is trying to mess with my server. Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may be two different people I guess. The first ip is using the same provider as I am. My IP was 69.209.152.xxx at the time. This has been happening since the 4th. Any ideas? I googled the error message and couldn't find much. Here is some info on the ip's nmap 69.209.152.51 Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-07-08 15:54 EDT Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net (69.209.152.51): (The 1650 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 113/tcp open auth 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 559/tcp open teedtap 1025/tcp filtered NFS-or-IIS 5000/tcp open UPnP nmap 69.192.139.207 Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-07-08 16:04 EDT Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com (69.192.139.207): (The 1642 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 641/tcp open unknown 665/tcp open unknown 1025/tcp open NFS-or-IIS 1080/tcp filtered socks 1214/tcp open fasttrack 1434/tcp filtered ms-sql-m 3531/tcp open peerenabler 5000/tcp open UPnP I went to the site 69.192.139.207 with my browser and a blank page appeared. There seems to be a web server running on it. So I tried this... telnet 69.192.139.207 80 Trying 69.192.139.207... Connected to 69.192.139.207. Escape character is '^]'. GET index.htm HTTP/1.0 501 Not Implemented X-Kazaa-Username: Babie_Gurl X-Kazaa-Network: KaZaA X-Kazaa-IP: 69.192.139.207:2692 X-Kazaa-SupernodeIP: 69.70.73.172:2215 Who the hell is Babie_Gurl??? :) root@www:/var/log/apache# tail -f error_log | grep -v 'x90' [Thu Jul 8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI too long [Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI too long root@www:/var/log/apache# tail -f error_log | grep -v 'x90' [Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI too long [Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI too long [Thu Jul 8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI too long ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html-------------------------------------------------------------------------------------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------------
Regards, David Williams SecureGate ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- strange logs jpc (Jul 09)
- Re: strange logs Dave Dearinger (Jul 12)
- Re: strange logs flurdoing (Jul 12)
- Re: strange logs David Williams (Jul 13)