[wplug] odd looking entries in httpd-access.log

Bill Moran wmoran at potentialtech.com
Mon Jun 12 09:57:32 EDT 2006 

On Mon, 12 Jun 2006 09:44:46 -0400
"O'Connor, Michael P." <mpoconnor at switch.com> wrote:

> I will say this, back in 2000 I had the same thing happen the long long
> repeating character.  I went to one of the IT people in CS at pitt (I
> was still a student back then) and he said that if such a thing was
> logged, and I was seeing it, it means that there was a hacking attempt
> but it failed, since a hacker would remove the entry from the log file,
> to cover their tracks.  To that statement I don't know how much truth
> there was to it, but just some food for thought. 

That's extremely optimistic.  You're assuming that the person attempting
to break in never forgets to do anything ;).  It's also possible that
the attack doesn't allow the attacker enough access to clear the logs --
a successful attack may only give them limited access, not enough to
cover their tracks.

In practice, I think your professor is right 90% of the time, but it's
not a Law of Breakin Attempts.  CMU did a lot of research and found that
a large percentage of folks who successfully break in don't really know
what to do once they've succeeded.

You should assume the worst.

> From: wplug-bounces+mpoconnor=switch.com at wplug.org
> [mailto:wplug-bounces+mpoconnor=switch.com at wplug.org] On Behalf Of
> Daniel McQuay
> Sent: Saturday, June 10, 2006 7:34 PM
> To: General user list
> Subject: Re: [wplug] odd looking entries in httpd-access.log
> 
>  
> 
> right on! i run freebsd so i'm not worried either. and after a few
> searches i did see a few people mentioning a buffer over run. 
> 
> hey thanks a lot guys for your insight.
> 
> On 6/10/06, Gentgeen <gentgeen at linuxmail.org> wrote:
> 
> On Sat, 10 Jun 2006 18:19:25 -0400
> Bill Moran <wmoran at potentialtech.com> wrote:
> 
> > "Daniel McQuay" <simplebob at gmail.com > wrote:
> >
> > > Hello List,
> > >
> > > I was just going through some log files and ran across some weird
> > > entries in my httpd-access.log.
> > >
> > > 71.116.248.152 - - [04/Jun/2006:14:50:13 -0400] "SEARCH
> > > /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > > c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ 
> > > xc9\xc9\xc9\xc9\xc9
> > > \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
> > > 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\x
> > > c9\xc9\xc9\xc9\xc9 
> > >
> > > for this email i left out several lines of this but has any one ever
> > > seen this sort of thing before? I suspect that it's some sort of
> > > exploit.
> >
> > It's an attempt to exploit a buffer overflow.  I'm not sure which one,
> 
> > but I'm certain a few searches will turn up some exact details.
> >
> > --
> > Bill Moran
> >
> > Not as deceiving as a low down dirty... deceiver.
> >
> >       Jayne Cobb
> >
> 
> Yes it is a buffer overflow exploit.  Had a similar thing show up on
> mine a while back.  Don't remember the exact thing that was repeated,
> but basically the same as you have.
> 
> Some googling on mine showed me a buffer overflow attach for some 
> Windows Server bug.  Since mine is a Debian Stable box, I just ignored
> it.
> 
> Kevin
> 
> 
> 
> --
> http://gentgeen.homelinux.org
> 
> ############################################################# 
> Associate yourself with men of good quality if you esteem
> your own reputation; for 'tis better to be alone then in bad
> company.        - George Washington, Rules of Civility
> _______________________________________________ 
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
> 
> 
> 
> 
> -- 
> Daniel McQuay
> simplebob at gmail.com
> boxster.homelinux.org
> H: 814.825.0847
> M: 814-341-6233 
> 
> 


-- 
Bill Moran
Collaborative Fusion Inc.

****************************************************************
IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The
sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a
result of e-mail transmission.
****************************************************************

More information about the wplug mailing list