httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Buffer Overrun Attack
Date Tue, 14 Sep 2004 16:49:41 GMT
On Tue, 14 Sep 2004 18:26:34 +0200, Markus Lenger <markus.lenger@gmx.at> wrote:
> Hi!
> 
> I´am running Apache 1.3.26 and found some strange entries in my
> access.log: There are lots of "SEARCH" requests  from spoofed addresses
> with very lengthy keywords. These keywords seem to be hex-encoded
> binary-data. A sample request looks like this:
> 
> 81.10.221.210 - - [02/Sep/2004:18:16:32 +0200] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

A search of the archives of this list would tell you that this is an
attack aimed at IIS and will not suceed on apache.

> After lots of these requests a password-protected area of the server was
> accessed from an IP that belongs to some russian internet provider ("BIS
> Telekom") . As I neither know no russians nor gave the password to
> someone who went to russia there are two possibilities:
> 
>    1. The password was stolen from a third person who I gave the
>       password to.
>    2. The attack was successful.
> 
> I fear the second statement is true. Any ideas?

It is either 1 or 
3. Someone brute-force attacked your site with a password-guesser and
found a weak password.  This should be evident in your logs.
or
4. You have some other flaw in your auth system.  We know nothing about this.

It is extremely unlikely that 2 is the case.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message