Apache atack.

Hy everyone.
Lately i've been receiving some strange requests on port 80.
I found this in the logs:
218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH /\x90\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1........
.....
.....

This is just a litle bit of the query, in reality it is very longer.
Can someone tell me what is going on?
I've got Slackware 9.1 and Apache-1.3.29-i486-2.
What i think that is strange, is that when i had got Red Hat installed i
never saw this kind of logs.
Is this the exploitation of some known security hole?

Best regards,
Nuno Paquete.

> Lately i've been receiving some strange requests on port 80.
> I found this in the logs:
> 218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
> /\x90\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb

I've been getting these recently as well, on all my web servers. I don't
know if it's targeting Apache or another web server (IIS?), but it would be
interesting to know what exactly they're trying to do.

--
Jem Berkes
http://www.sysdesign.ca/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jem Berkes wrote:

>>Lately i've been receiving some strange requests on port 80.
>>I found this in the logs:
>>218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
>>/\x90\x02\xb1\x02\xb
>>\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb
>
>
> I've been getting these recently as well, on all my web servers. I don't
> know if it's targeting Apache or another web server (IIS?), but it
would be
> interesting to know what exactly they're trying to do.

It's a buffer overflow attack, apparently an IIS "WebDav exploit", aimed
at NTDLL.DLL.

See http://www.fatelabs.com/library/fate...l-analysis.pdf for some
of the details.



- --

Lew Pitcher, IT Consultant, Enterprise Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAq5P0agVFX4UWr64RAjtWAJwMcD0F3vhTyl/m/HqtoYCW/6umzgCeLDOg
4xdzhYb35Yw1Mfsa1xXjAh0=
=0YGD
-----END PGP SIGNATURE-----

On Wed, 19 May 2004 16:55:29 +0000, Jem Berkes wrote:

>> Lately i've been receiving some strange requests on port 80. I found
>> this in the logs:
>> 218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
>> /\x90\x02\xb1\x02\xb
>> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
>
> I've been getting these recently as well, on all my web servers. I don't
> know if it's targeting Apache or another web server (IIS?), but it would
> be interesting to know what exactly they're trying to do.

IIS WebDAV Exploit, I think one of the agobot worms tries to use it to get
into Windows boxes.

--
-Geoff

>>> Lately i've been receiving some strange requests on port 80. I found
>>> this in the logs:
>>> 218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
>>> /\x90\x02\xb1\x02\xb
>>> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\
>>> xb
>>
>> I've been getting these recently as well, on all my web servers. I
>> don't know if it's targeting Apache or another web server (IIS?), but
>> it would be interesting to know what exactly they're trying to do.
>
> IIS WebDAV Exploit, I think one of the agobot worms tries to use it to
> get into Windows boxes.

LOL, so people still try to run http servers Windows :) Good way to kill
your server.

--
Jem Berkes
http://www.sysdesign.ca/

"Jem Berkes" <jb@users.pc9.org> quoted and wrote in message
news:Xns94EE795FD6A55jbuserspc9org@130.179.16.24

>> Lately i've been receiving some strange requests on port 80.
>> I found this in the logs:
>> 218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
>> /\x90\x02\xb1\x02\xb
>> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
>
> I've been getting these recently as well, on all my web servers. I
> don't know if it's targeting Apache or another web server (IIS?), but
> it would be interesting to know what exactly they're trying to do.

http://www.linuxquestions.org/questions/history/174552


--
use hotmail for email replies

Thanks guys.

"Nuno Paquete" <nmp@ispgaya.pt> escreveu na mensagem
news:40ab72f9$0$1841$a729d347@news.telepac.pt...
> Hy everyone.
> Lately i've been receiving some strange requests on port 80.
> I found this in the logs:
> 218.94.77.207 - - [19/May/2004:14:16:51 +0100] "SEARCH
/\x90\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb
> \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1........
> ....
> ....
>
> This is just a litle bit of the query, in reality it is very longer.
> Can someone tell me what is going on?
> I've got Slackware 9.1 and Apache-1.3.29-i486-2.
> What i think that is strange, is that when i had got Red Hat installed i
> never saw this kind of logs.
> Is this the exploitation of some known security hole?
>
> Best regards,
> Nuno Paquete.