Security Incidents mailing list archives
Re: Strange log in Apache after webdav-like exploit
From: Robin <robin () kallisti net nz>
Date: Wed, 14 Jul 2004 14:37:26 +1200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 13 Jul 2004 10:42, Sebastien Millet wrote:
Today i had two of these in my access_log : xx.xx.xxx.xx - - [12/Jul/2004:22:29:32 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 (...) \xb1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 (...) So far, it's the classical webdav exploit, but the end is quite strange : (...) \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90me - west British Columbia</option><option value=\"America/ Whitehorse\"Canada/Whitehorse Pacific Time - south Yukon</option><option value=\"America/Winnipeg\" >Canada/Winnipeg Central Time - Manitoba & west Ontario</option><option value=\"America/Yellow knife\"Canada/Yellowknife Mountain Time
I got a spate of these a while back, but haven't noticed them for a while. The content of the non-encoded part of the request tended to be a piece of HTML that was located somewhere on the site (although, now you mention it, it is quite likely to have been something generated with PHP). I checked to see if the same IP addresses had accessed anything else on the site, perhaps having the content in a buffer or something, but that came back negative. I ended up not getting any further with it, got busy, and forgot about it. Didn't consider it could be an apache issue. Anyway, I would have seen it on around apache versions 2.0.47-ish. I haven't noticed it on 2.0.50 (I still get the \0x90 parts, but not the content at the end.) PHP version around 4.3.7. I could do a more comprehensive look at when I saw what in the logs versus what versions of apache and PHP I was running at the time, if deemed useful. - -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber org> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFA9JxuzTjgendttmMRApeDAKCTBy1Icy+OEDWZjkVXJQc7AX9KGQCgjeSp bchTt12MV24ddwiM+GLLrB4= =sUAh -----END PGP SIGNATURE-----
Current thread:
- Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 13)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)
- Re: Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 19)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)