Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache 1.3.XX

From: Blake Frantz <blake () mc net>
Date: Fri, 1 Feb 2002 14:53:35 -0600 (CST)

What was the full URI ?  Are you sure it wasn't some box infected with
Code Red II or the like ?

On a side note, how could this vulnerability yeild a root shell when
apache isn't/shouldn't be running as root.

-Blake

On 1 Feb 2002, Russell Fulton wrote:


On Fri, 2002-02-01 at 10:30, Russell Fulton wrote:



Hmmm.... we saw an attack two days ago against an apache server which 
consisted of GETs and POST followed by long strings of Xs followed by shell
code.  


I have just got the logs from the admin and I find I lied, no shell code
was logged by apache, just the long string of 'X'S (about 8186 of them).
So either there was no shell code or apache truncated the string when it
logged it.

Apologies for the confusion.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: