Security Basics mailing list archives
Re: Some rare log entry on our wiki server
From: Joachim Schipper <j.schipper () math uu nl>
Date: Thu, 3 Feb 2005 00:37:56 +0100
On Wed, Feb 02, 2005 at 09:49:10AM +0100, Pere Urbon Bayes wrote:
I have one LAMP wiki server, and today I found one rare log entry. I was looking for it on google, but he didn't give me any answer!! :<. Any one of you have any idea about it? I'll been very thankful. My log entry was: GET /SEARCH%20/%5Cx90%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5C It's very long, but i didn't post it all. Thanks
It's a buffer overflow attempt, someone trying to crack open your web server. It probably failed, or you wouldn't be seeing this entry! You can try to look up the specific shellcode used (and logged, above) on the web, though I'd recommend going for the last part - this is probably just a NOOP sled, while the actual code is at the end. However, I wouldn't worry too much about it. I see such an attempt every couple of days. If you are security conscious, put Apache in a chroot() jail and add mod_security. Joachim
Current thread:
- Some rare log entry on our wiki server Pere Urbon Bayes (Feb 02)
- Re: Some rare log entry on our wiki server Joachim Schipper (Feb 03)
- Re: Some rare log entry on our wiki server Andrew Smith (Feb 04)
- Re: Some rare log entry on our wiki server hackman (Feb 07)
- Re: Some rare log entry on our wiki server Joachim Schipper (Feb 03)