Security Basics mailing list archives
Re: strange httpd error log response
From: "Kenny Holden" <kenny () codez co uk>
Date: Thu, 10 Jun 2004 10:41:10 +0100
Yeah it looks like a buffer overflow... quick google search found this... http://www.webservertalk.com/message231386.html "It's a buffer overflow attack, apparently an IIS "WebDav exploit", aimed at NTDLL.DLL. See http://www.fatelabs.com/library/fat...ll-analysis.pdf for some of the details." This first link provides nice analysis. This second link is just someone else who posted abit more info elsewhere... "http://www.linuxquestions.org/questions/history/174552" This last link (above) has a tell-tale bit posted, it shows the \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 (which was also shown here) but then it also shows \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 which is an easily recognisable nop sled. ----- Original Message ----- From: <krispykringle () gentoo org> To: "Ralph Brown" <rbrown () policing net> Cc: <security-basics () securityfocus com> Sent: Wednesday, June 09, 2004 10:30 PM Subject: Re: strange httpd error log response
This is clearly an attempt at exploiting a buffer overflow. I see quite a
lot, and many are unidentified (though many are obvious year-old exploits for IIS). I have two suggestions: if it's a known vulnerability you know you are patched for, ignore it. Keep your server up to date, as always.
If you don't recognize it, Google it and see if you find anything. If not,
you can always try that request string yourself and see what happens. If your server doesn't crash or do anything else funny, you're good (bear in mind that if the string has malicious shell code embedded in it, it's best not to send that code while sending the buffer overflow, but by sending an overflow minus the code, you should still be able to tell if your server crashes, etc ;).
Anyone, correct me if I'm wrong :) On Wed, Jun 09, 2004 at 05:28:59AM -0700, Ralph Brown wrote:I have recently overhauled my server, and am now using Fedora Core 2. With it came the newest version of Logwatch, 5.1. I have used Logwatch with RH 9.X, and was very happy with it. After running Logwatch a few times, I am getting the following message (report to root). I do not understand it and wonder if it is a bug, setting error, or ? Please advise and/or explain. -------------------------------------------------- --------------------- httpd Begin ------------------------ A total of 4 unidentified 'other' records logged SEARCH / \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2 \xb1\x0... (this repeats numerous times...) --------------------------------------------------- Suggestions please. Thank you in advance! Ralph "Forget world peace... Try using your turnsignal" ~~~~~~~~~~~~~~~~~~~~ Ralph Brown rbrown () policing net--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html--------------------------------------------------------------------------
--
--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- strange httpd error log response Ralph Brown (Jun 09)
- Re: strange httpd error log response Ricardo Oliva (Jun 09)
- Re: strange httpd error log response krispykringle (Jun 10)
- Re: strange httpd error log response Kenny Holden (Jun 10)
- Re: strange httpd error log response Alan McLean (Jun 10)
- Re: strange httpd error log response Arturas Zalenekas (Jun 10)
- Re: strange httpd error log response Gautam R. Singh (Jun 13)
- Re: strange httpd error log response Bugtraq - GS (Jun 11)