Weird http request type, "SEARCH", in apache logs

I've done a fairly exhaustive search on google and google groups for
this problem, but either the search string is tricky or no one's
encountered this yet. In any case, I got the following in my apache
logs....

(client's ip) - - [23/Aug/2003:06:44:07 -0400] "SEARCH
/~P^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B± ^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±....


It goes on like that for about 8000 characters. It changes over to
~P~P~P~P's somewhere in the middle. Anyone know what this is about?
Thanks!



Joe

David <thunderbolt01@netscape.net> wrote in message news:<Rth2b.252355$Ho3.33296@sccrnsc03>...
> joe versoza wrote:
> > I've done a fairly exhaustive search on google and google
> > groups for this problem, but either the search string is
> > tricky or no one's encountered this yet. In any case, I got
> > the following in my apache logs....
> >
> > (client's ip) - - [23/Aug/2003:06:44:07 -0400] "SEARCH
> > /~P^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B± ^B±^B±....
> >
> > It goes on like that for about 8000 characters. It changes
> > over to ~P~P~P~P's somewhere in the middle. Anyone know what
> > this is about?
>
> I'm guessing here but possibly a buffer overflow attack? I did a
> search at symantec, sophos, McAfee, and CERT and didn't find
> anything about it. Possibly something new, I haven't seen it before.

Thanks. Is there anything I should do in response to possible buffer
overflow attacks (other than check for patches for Apache)? And more
importantly, how can I tell if it was successful? Also, if there's a
resource that covers all this stuff, please let me know... Thanks
again!

> I've done a fairly exhaustive search on google and google groups for
> this problem, but either the search string is tricky or no one's
> encountered this yet. In any case, I got the following in my apache
> logs....
>
> (client's ip) - - [23/Aug/2003:06:44:07 -0400] "SEARCH
> /~P^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B± ^B±^B±^B±^B±^B±^B±^B
> ±^B±^B±^B±^B±^B±....

I see SEARCH requests on occasion, which I could never figure out. The
request isn't even part of HTTP (1.0 or 1.1)

joe versoza wrote:

> Thanks. Is there anything I should do in response to possible buffer
> overflow attacks (other than check for patches for Apache)? And more
> importantly, how can I tell if it was successful? Also, if there's a
> resource that covers all this stuff, please let me know... Thanks
> again!

If you are running the latest apache release 1.3.28 or whatever
the 2.X series is up to now, you should be safe. I was guessing
about your post being a buffer overflow attack and don't know if
it is a Windows problem or pointed at linux systems. You could
run chkrootkit to ease your worries.

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3
Uptime: 10:59, 1 user, load average: 1.23, 1.21, 1.20

jjvwork@yahoo.com (joe versoza) wrote in
news:da5051a.0308242124.73b2e18@posting.google.com :

> I've done a fairly exhaustive search on google and google groups for
> this problem, but either the search string is tricky or no one's
> encountered this yet. In any case, I got the following in my apache
> logs....
>
> (client's ip) - - [23/Aug/2003:06:44:07 -0400] "SEARCH
> /~P^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B± ^B±^B±^B±^B±^B±^B±^B
> ±^B±^B±^B±^B±^B±....
>
>
> It goes on like that for about 8000 characters. It changes over to
> ~P~P~P~P's somewhere in the middle. Anyone know what this is about?
> Thanks!
>
>
>
> Joe

IIRC that is an attempt to exploit the WebDav vulnerability. Probably
from Blaster.D

< Jem Berkes

>I see SEARCH requests on occasion, which I could never figure out. The
>request isn't even part of HTTP (1.0 or 1.1)

It's WebDAV [RFC2518 (3253)]. <security.stanford.edu/IIS-WebDAV.html>
<www.cert.org/advisories/CA-2003-09.html> [CAN-2003-0109]
<isc.incidents.org/analysis.html?id=183> <www.lurhq.com/webdav.html>

Some exploit sends a HTTP request like this -->

SEARCH /[nop][retadr]...[retadr][nop]...[nop][jmpcode] HTTP/1.1
{HTTP headers here}
{HTTP body with webDAV content}
0x01 [shellcode]

Another one with bug -->

sprintf(buffsend,
"SEARCH / HTTP/1.1\r\nHost:%s\r\nContent-Type: text/xml\r\n"
"Content-Length: %d\r\n\r\n%s%s",
strlen(xmlbody) + strlen(buffer), xmlbody, buffer);

It should be -->

target, strlen(xmlbody) + strlen(buffer), xmlbody, buffer);
^^^^^^
SK can't find the bug or don't audit the c0d3z. And occur -->

SEARCH / HTTP/1.1
Host: %s
^^
--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7