httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Lenger <markus.len...@gmx.at>
Subject [users@httpd] Buffer Overrun Attack
Date Tue, 14 Sep 2004 16:26:34 GMT
Hi!

I´am running Apache 1.3.26 and found some strange entries in my 
access.log: There are lots of "SEARCH" requests  from spoofed addresses 
with very lengthy keywords. These keywords seem to be hex-encoded 
binary-data. A sample request looks like this:

81.10.221.210 - - [02/Sep/2004:18:16:32 +0200] "SEARCH 
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\  
[...]  \x90" 414 271 "-" "-"

After lots of these requests a password-protected area of the server was 
accessed from an IP that belongs to some russian internet provider ("BIS 
Telekom") . As I neither know no russians nor gave the password to 
someone who went to russia there are two possibilities:

   1. The password was stolen from a third person who I gave the
      password to.
   2. The attack was successful.

I fear the second statement is true. Any ideas?

markus

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message