Re: Apache attacks

[Micheal Cottingham <security () michealcottingham com>]

SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 ...

Did it look something like that? (noop sled follows somewhere in there). 
If so, http://indrayam.com/archives/security/000239.php is what I found 
a few days ago when I had a user asking for information on this. Seems 
to be an IIS exploit making rounds again from 2003. Figured I might as 
well do something resembling usefulness on this list as I too have been 
a long time reader. :P

Bernie Johnson wrote:

> Kenny,
>
> Look at www.rfxnetworks.com and get APF, BFD and look at the other
> scripts there.  This should od what you want and need.
>
> B. Johnson
>
>
>
> On Wed, 2005-01-26 at 15:56, Kenny wrote:
>  
>
> > Hi List,
> >
> > Long time reader, first time poster...
> >
> > My server crashed yesturday and I had to restart it, to get it going 
> > again. Now everything seems ok, however looking at my 
> > /var/log/httpd/access_log.1 shows a visitor to the website posting some 
> > big chunks of exploit code (containing a massive nop sled).
> > How do I know if this attacker actually got in or not?
> >
> > This is a redhat fedora core 2 box, and I would describe myself as an 
> > "intermediate" linux user.
> >
> > Also, has anyone got any scripts that can detect attacks against apache 
> > and ban the ip for a period of time?
> >
> > I will post the exploit on request.
> >
> > Thanks, Kenny
> >