httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Moreira <lamore...@bes.pt>
Subject Re: [users@httpd] should I worry about this script kiddies attack?
Date Wed, 06 Aug 2003 14:44:15 GMT
This is a "Buffer overflow" attack, that as far as I know affects Micro$oft,
not Apache

You find lots of info at Google, if you type "NULL.IDA", namely
http://www.securiteam.com/exploits/5GP0C2K4KK.html

Luis

----- Original Message -----
From: "Ian Ballantyne" <ian@midori.shacknet.nu>
To: <users@httpd.apache.org>
Sent: Wednesday, August 06, 2003 3:13 PM
Subject: [users@httpd] should I worry about this script kiddies attack?


> Hi,
>
> I've been using apache successfully for three years now and have never had
> problems or concerns with it until now.  I am aware of quite a few script
> kiddie attacks (cled red, etc), but have today seen in my log files 18
> entries that somewhat concern me.  I have found nothing in google or the
> apache mailing list that would stop my concerns, so I have got onto this
list
> to see if anyone else knows anything.
>
> Normally I wouldn't be concerned, except that this time apache has
returned a
> 400 status, and 299 bytes of data.  I think my system hasn't been
> compromised, but maybe there is something new out there that should be
> worried about.
>
> An extract of one of the log entries is below.  I have replaced the
> backslashes that were in the log entry with spaces, and have left out most
of
> the entry too since it will just create a large mail.  Each full line in
the
> log is 6396 characters long.
>
> So, should I be worried, could there be a new attack against apache, or is
> this just another M$ IIS attack?  Your input will be appreciated.
>
> Regards
> Ian
>
> 203.229.217.15 - - [06/Aug/2003:08:08:52 +0200] "GET /NULL.IDA?CCCC
>
> [lots of C's left out]
>
>
CCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%
u0000%ue0ff%u9090=x&
> x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90
x90
> x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 x90 xeb t x90 x90 x90_ xeb
b
> x90 x90 x90 xe8 xf5 xff xff xff x8do xf0 x8d}- x90 x90 x90 x8b xf7f xb8H
x063
> xc9f x8b xc8 xb4 x99 xfc xac2 xc4 xaa xe2 xfa x14$ xec x9f x99 x99e xaaP(
> xb9) xbdk7_ xdef
>
> [large chunk left out]
>
> xa8 xe9 x7f xee x99 xfa[ x01+ xdfcmd.exe$ HTTP/1.1" 400 299
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message