[wplug] odd looking entries in httpd-access.log
Gentgeen
gentgeen at linuxmail.org
Sat Jun 10 19:21:13 EDT 2006
On Sat, 10 Jun 2006 18:19:25 -0400
Bill Moran <wmoran at potentialtech.com> wrote:
> "Daniel McQuay" <simplebob at gmail.com> wrote:
>
> > Hello List,
> >
> > I was just going through some log files and ran across some weird
> > entries in my httpd-access.log.
> >
> > 71.116.248.152 - - [04/Jun/2006:14:50:13 -0400] "SEARCH
> > /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
> > xc9\xc9\xc9\xc9\xc9
> > \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
> > 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > c9\xc9\xc9\xc9\xc9
> >
> > for this email i left out several lines of this but has any one ever
> > seen this sort of thing before? I suspect that it's some sort of
> > exploit.
>
> It's an attempt to exploit a buffer overflow. I'm not sure which one,
> but I'm certain a few searches will turn up some exact details.
>
> --
> Bill Moran
>
> Not as deceiving as a low down dirty... deceiver.
>
> Jayne Cobb
>
Yes it is a buffer overflow exploit. Had a similar thing show up on
mine a while back. Don't remember the exact thing that was repeated,
but basically the same as you have.
Some googling on mine showed me a buffer overflow attach for some
Windows Server bug. Since mine is a Debian Stable box, I just ignored
it.
Kevin
--
http://gentgeen.homelinux.org
#############################################################
Associate yourself with men of good quality if you esteem
your own reputation; for 'tis better to be alone then in bad
company. - George Washington, Rules of Civility
More information about the wplug
mailing list