Re: strange httpd error log response

[krispykringle () gentoo org]

This is clearly an attempt at exploiting a buffer overflow. I see quite a lot, and many are unidentified (though many 
are obvious year-old exploits for IIS). I have two suggestions: if it's a known vulnerability you know you are patched 
for, ignore it. Keep your server up to date, as always. 

If you don't recognize it, Google it and see if you find anything. If not, you can always try that request string 
yourself and see what happens. If your server doesn't crash or do anything else funny, you're good (bear in mind that 
if the string has malicious shell code embedded in it, it's best not to send that code while sending the buffer 
overflow, but by sending an overflow minus the code, you should still be able to tell if your server crashes, etc ;). 

Anyone, correct me if I'm wrong :)


On Wed, Jun 09, 2004 at 05:28:59AM -0700, Ralph Brown wrote:
> > I have recently overhauled my server, and am now using Fedora Core 2.   
> > With it came the newest version of Logwatch, 5.1. I have used Logwatch  
> > with RH 9.X, and was very happy with it.
> > After running Logwatch a few times, I am getting the following message  
> > (report to root). I do not understand it and wonder if it is a bug,   
> > setting error, or ? Please advise and/or explain.
> > --------------------------------------------------
> > --------------------- httpd Begin ------------------------
> > A total of 4 unidentified 'other' records logged
> >  SEARCH  /  
> > \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2  
> > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 
> > 2 \xb1\x0... (this repeats numerous times...)
> > ---------------------------------------------------
> > Suggestions please. Thank you in advance!
> > Ralph
> > "Forget world peace...
> > Try using your turnsignal"
> > ~~~~~~~~~~~~~~~~~~~~
> > Ralph Brown
> > rbrown () policing net
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the 
> skills of an Ethical Hacker to better assess the security of your 
> organization. Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------