Re: strange httpd error log response

["Kenny Holden" <kenny () codez co uk>]

Yeah it looks like a buffer overflow... quick google search found this...
http://www.webservertalk.com/message231386.html

"It's a buffer overflow attack, apparently an IIS "WebDav exploit", aimed
at NTDLL.DLL.

See http://www.fatelabs.com/library/fat...ll-analysis.pdf for some
of the details."

This first link provides nice analysis.

This second link is just someone else who posted abit more info elsewhere...

"http://www.linuxquestions.org/questions/history/174552";

This last link (above) has a tell-tale bit posted, it shows the
\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
(which was also shown here) but then it also shows
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
which is an easily recognisable nop sled.



----- Original Message ----- 
From: <krispykringle () gentoo org>
To: "Ralph Brown" <rbrown () policing net>
Cc: <security-basics () securityfocus com>
Sent: Wednesday, June 09, 2004 10:30 PM
Subject: Re: strange httpd error log response


> This is clearly an attempt at exploiting a buffer overflow. I see quite a
lot, and many are unidentified (though many are obvious year-old exploits
for IIS). I have two suggestions: if it's a known vulnerability you know you
are patched for, ignore it. Keep your server up to date, as always.
> If you don't recognize it, Google it and see if you find anything. If not,
you can always try that request string yourself and see what happens. If
your server doesn't crash or do anything else funny, you're good (bear in
mind that if the string has malicious shell code embedded in it, it's best
not to send that code while sending the buffer overflow, but by sending an
overflow minus the code, you should still be able to tell if your server
crashes, etc ;).
> Anyone, correct me if I'm wrong :)
>
>
> On Wed, Jun 09, 2004 at 05:28:59AM -0700, Ralph Brown wrote:
> > > I have recently overhauled my server, and am now using Fedora Core 2.
> > > With it came the newest version of Logwatch, 5.1. I have used Logwatch
> > > with RH 9.X, and was very happy with it.
> > > After running Logwatch a few times, I am getting the following message
> > > (report to root). I do not understand it and wonder if it is a bug,
> > > setting error, or ? Please advise and/or explain.
> > > --------------------------------------------------
> > > --------------------- httpd Begin ------------------------
> > > A total of 4 unidentified 'other' records logged
> > >  SEARCH  /
> > > \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2
> > > \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> > > 2 \xb1\x0... (this repeats numerous times...)
> > > ---------------------------------------------------
> > > Suggestions please. Thank you in advance!
> > > Ralph
> > > "Forget world peace...
> > > Try using your turnsignal"
> > > ~~~~~~~~~~~~~~~~~~~~
> > > Ralph Brown
> > > rbrown () policing net
>
> --------------------------------------------------------------------------
-
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
> > any course! All of our class sizes are guaranteed to be 10 students or
less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of
in-the-field
> > pen testing experience in our state of the art hacking lab. Master the
> > skills of an Ethical Hacker to better assess the security of your
> > organization. Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------