httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] Buffer Overrun Attack
Date Tue, 14 Sep 2004 16:49:41 GMT
On Tue, 14 Sep 2004 18:26:34 +0200, Markus Lenger <> wrote:
> Hi!
> I´am running Apache 1.3.26 and found some strange entries in my
> access.log: There are lots of "SEARCH" requests  from spoofed addresses
> with very lengthy keywords. These keywords seem to be hex-encoded
> binary-data. A sample request looks like this:
> - - [02/Sep/2004:18:16:32 +0200] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

A search of the archives of this list would tell you that this is an
attack aimed at IIS and will not suceed on apache.

> After lots of these requests a password-protected area of the server was
> accessed from an IP that belongs to some russian internet provider ("BIS
> Telekom") . As I neither know no russians nor gave the password to
> someone who went to russia there are two possibilities:
>    1. The password was stolen from a third person who I gave the
>       password to.
>    2. The attack was successful.
> I fear the second statement is true. Any ideas?

It is either 1 or 
3. Someone brute-force attacked your site with a password-guesser and
found a weak password.  This should be evident in your logs.
4. You have some other flaw in your auth system.  We know nothing about this.

It is extremely unlikely that 2 is the case.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message