Security Incidents mailing list archives
Strange log in Apache after webdav-like exploit
From: Sebastien Millet <milletse () club-internet fr>
Date: Tue, 13 Jul 2004 00:42:55 +0200
Hello, Today i had two of these in my access_log : xx.xx.xxx.xx - - [12/Jul/2004:22:29:32 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 (...) \xb1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 (...) So far, it's the classical webdav exploit, but the end is quite strange : (...) \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90me - west British Columbia</option><option value=\"America/ Whitehorse\"
Canada/Whitehorse Pacific Time - south Yukon</option><option value=\"America/Winnipe
g\" >Canada/Winnipeg Central Time - Manitoba & west Ontario</option><option value=\"America/Yellow knife\"
Canada/Yellowknife Mountain Time
(...) option value=\"America/Guadeloupe\"> Guadeloupe/Guadeloupe</option><HTTP/1.0" 414 250 The end of the logged request contains about 4KB of a recent huge (68k) served php page. Apache is 2.0.49, PHP is 4.3.7. Do you know where this could come from ? To myself, it looks like a buffer overflow in the logging part. I wasn't able to reproduce the problem with a custom long URI nor the webdav exploit consisting of 64k \x90, each time the request is cut at the URI limit and Apache answers 414. Thanks.
Current thread:
- Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 13)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)
- Re: Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 19)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)