Re: strange logs

[Dave Dearinger <daved () mdon-line com>]

from: http://www.httpsniffer.com/http/100415.htm
10.4.15 414 Request-URI Too Long

The server is refusing to service the request because the Request-URI is 
longer than the server is willing to interpret. This rare condition is only 
likely to occur when a client has improperly converted a POST request to a 
GET request with long query information, when the client has descended into 
a URI "black hole" of redirection (e.g., a redirected URI prefix that 
points to a suffix of itself), or when the server is under attack by a 
client attempting to exploit security holes present in some servers using 
fixed-length buffers for reading or manipulating the Request-URI.


-Dave Dearinger
-Network Administrator
-MD-Online Inc.
-daved () mdon-line com
-1-888-397-3434
=============================
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.

At 07:18 PM 7/8/2004 -0400, jpc wrote:
> Has anyone seen this error (see below)in the apache log.
> It appears someone is trying to mess with my server.
> Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may 
> be two
> different people I guess.
> The first ip is using the same provider as I am. My IP was 69.209.152.xxx at
> the time.
> This has been happening since the 4th.
> Any ideas? I googled the error message and couldn't find much.
>
> Here is some info on the ip's
>
> nmap 69.209.152.51
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
> at 2004-07-08 15:54 EDT
> Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net
> (69.209.152.51):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 113/tcp  open     auth
> 135/tcp  filtered msrpc
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 559/tcp  open     teedtap
> 1025/tcp filtered NFS-or-IIS
> 5000/tcp open     UPnP
>
>
> nmap 69.192.139.207
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
> at 2004-07-08 16:04 EDT
> Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com
> (69.192.139.207):
> (The 1642 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 80/tcp   open     http
> 113/tcp  open     auth
> 135/tcp  filtered msrpc
> 137/tcp  filtered netbios-ns
> 138/tcp  filtered netbios-dgm
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 641/tcp  open     unknown
> 665/tcp  open     unknown
> 1025/tcp open     NFS-or-IIS
> 1080/tcp filtered socks
> 1214/tcp open     fasttrack
> 1434/tcp filtered ms-sql-m
> 3531/tcp open     peerenabler
> 5000/tcp open     UPnP
>
>
> I went to the site 69.192.139.207 with my browser and a blank page appeared.
> There seems to be a web server running on it. So I tried this...
>
> telnet 69.192.139.207 80
> Trying 69.192.139.207...
> Connected to 69.192.139.207.
> Escape character is '^]'.
> GET index.htm
> HTTP/1.0 501 Not Implemented
> X-Kazaa-Username: Babie_Gurl
> X-Kazaa-Network: KaZaA
> X-Kazaa-IP: 69.192.139.207:2692
> X-Kazaa-SupernodeIP: 69.70.73.172:2215
>
> Who the hell is Babie_Gurl??? :)
>
>
>
>
>
>
>
> root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'
>
> [Thu Jul  8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
> too long
> [Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
> too long
>
> root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'
> [Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
> too long
> [Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI
> too long


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------