You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Jack L. Stone" <ja...@sage-one.net> on 2004/03/24 15:24:45 UTC

[users@httpd] New Intrusions

Dear List:

Has anyone see the type of request below and if so, what is it trying to do
-- and how do you stop it (besides blocking the IP)?

The sample below is only about 1-5% of one single request. The error return
of course is 414 -- URL too long.

Thanks for any help!

220.163.175.92 - - [23/Mar/2004:23:34:57 -0600] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb

Best regards,
Jack L. Stone,
Administrator

SageOne Net
http://www.sage-one.net
jackstone@sage-one.net

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] New Intrusions

Posted by "Eimantas \"EnC\" Vaičiūnas" <ei...@lietuvoje.lt>.

Hi

Jack L. Stone wrote:

>Dear List:
>
>The sample below is only about 1-5% of one single request. The error return
>of course is 414 -- URL too long.
>  
>
No wonder :)

>Thanks for any help!
>
>220.163.175.92 - - [23/Mar/2004:23:34:57 -0600] "SEARCH
>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
>2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
>2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>  
>
Seems to me like a shell-code. Though could attacker be THAT stupid? I 
get some 'too-long-uri's' when using phpMyAdmin, but at least i can read 
some of URL there.

>Best regards,
>Jack L. Stone,
>Administrator
>
>SageOne Net
>http://www.sage-one.net
>jackstone@sage-one.net
>  
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org