Re: strange http log entry
On 10 Jul 2004, James Sinnamon wrote:
> I found a two unusual "SEARCH" records on my apache httpd
> access.log.
>
> They start as follows:
>
> 144.132.111.231 - - [10/Jul/2004:11:38:24 +1000] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
> \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
> \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\\
> x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\\
> ..
>
> Each record is roughly 8180 characteres in length.
>
> Does anyone know what might be going on?
Sure. Some exploit is being attempted against your system.
> Is it perfctly innocent ... or is someone up to no good? Can anyone
> suggest another mailing list on which to pursue this if this is not
> the right place to ask?
Basically, what you are seeing is the code used as part of some sort of
exploit, probably a buffer overflow or similar.
It probably isn't succeeding - I don't recall any webdav exploit for
Apache recently - but if you see the process recorded as crashing near
that point, start to worry.
Daniel
--
Fortune rarely accompanies anyone to the door.
-- Balthasar Gracian
Reply to: