Re: Strange log in Apache after webdav-like exploit

[Sebastien Millet <milletse () club-internet fr>]

On Wed, 14 Jul 2004 14:37:26 +1200, Robin <robin () kallisti net nz> wrote
:

> I got a spate of these a while back, but haven't noticed them for a
> while. The content of the non-encoded part of the request tended to be
> a piece of HTML that was located somewhere on the site (although, now
> you mention it, it is quite likely to have been something generated
> with PHP).

I think the content is from a previous page served by the same child
process.

> I checked to see if the same IP addresses had accessed
> anything else on the site, perhaps having the content in a buffer or
> something, but that came back negative. I ended up not getting any
> further with it, got busy, and forgot about it. Didn't consider it
> could be an apache issue.
>
> Anyway, I would have seen it on around apache versions 2.0.47-ish. I
> haven't noticed it on 2.0.50 (I still get the \0x90 parts, but not the
> content at the end.) PHP version around 4.3.7. I could do a more
> comprehensive look at when I saw what in the logs versus what versions
> of apache and PHP I was running at the time, if deemed useful. 

Looks like the 2.0.50 version solved the problem, despite there is no
such entry in the changelog.

Thanks for you answer.