[wplug] odd looking entries in httpd-access.log
O'Connor, Michael P.
mpoconnor at switch.com
Mon Jun 12 09:44:46 EDT 2006
I will say this, back in 2000 I had the same thing happen the long long
repeating character. I went to one of the IT people in CS at pitt (I
was still a student back then) and he said that if such a thing was
logged, and I was seeing it, it means that there was a hacking attempt
but it failed, since a hacker would remove the entry from the log file,
to cover their tracks. To that statement I don't know how much truth
there was to it, but just some food for thought.
Michael P. O'Connor
US&S
Office: 412-688-2491
Cell: 412-498-0667
mpoconnor at switch.com
________________________________
From: wplug-bounces+mpoconnor=switch.com at wplug.org
[mailto:wplug-bounces+mpoconnor=switch.com at wplug.org] On Behalf Of
Daniel McQuay
Sent: Saturday, June 10, 2006 7:34 PM
To: General user list
Subject: Re: [wplug] odd looking entries in httpd-access.log
right on! i run freebsd so i'm not worried either. and after a few
searches i did see a few people mentioning a buffer over run.
hey thanks a lot guys for your insight.
On 6/10/06, Gentgeen <gentgeen at linuxmail.org> wrote:
On Sat, 10 Jun 2006 18:19:25 -0400
Bill Moran <wmoran at potentialtech.com> wrote:
> "Daniel McQuay" <simplebob at gmail.com > wrote:
>
> > Hello List,
> >
> > I was just going through some log files and ran across some weird
> > entries in my httpd-access.log.
> >
> > 71.116.248.152 - - [04/Jun/2006:14:50:13 -0400] "SEARCH
> > /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
> > xc9\xc9\xc9\xc9\xc9
> > \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
> > 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > c9\xc9\xc9\xc9\xc9
> >
> > for this email i left out several lines of this but has any one ever
> > seen this sort of thing before? I suspect that it's some sort of
> > exploit.
>
> It's an attempt to exploit a buffer overflow. I'm not sure which one,
> but I'm certain a few searches will turn up some exact details.
>
> --
> Bill Moran
>
> Not as deceiving as a low down dirty... deceiver.
>
> Jayne Cobb
>
Yes it is a buffer overflow exploit. Had a similar thing show up on
mine a while back. Don't remember the exact thing that was repeated,
but basically the same as you have.
Some googling on mine showed me a buffer overflow attach for some
Windows Server bug. Since mine is a Debian Stable box, I just ignored
it.
Kevin
--
http://gentgeen.homelinux.org
#############################################################
Associate yourself with men of good quality if you esteem
your own reputation; for 'tis better to be alone then in bad
company. - George Washington, Rules of Civility
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
--
Daniel McQuay
simplebob at gmail.com
boxster.homelinux.org
H: 814.825.0847
M: 814-341-6233
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20060612/bbb0795f/attachment.html
More information about the wplug
mailing list