is this an attack attempt?

Aaron Howell aaron at kitten.net.au
Sun Jun 9 20:29:33 EDT 2002


Its an attack attempt all right, but nothing you need to worry about.
Its an attempt to exploit a buffer overflow (of which there are thousands) in Internet Information Services (the default windows web server).
It is likely that the person (or persons) launching this attack are simply scanning for any open web server and then trying that query,
the fact that you're running Linux, not Windows, and are thus immune probably isn't important to them.
The best way of dealing with activity like this is to cut the relevant bits of your log out,
find out the isp that owns the block of ips from which the attack originates,
and send your logs (along with your timezone so they can match against their records) to abuse at that.isp.
That's usually enough to get the offenders' account shut down.
Regards
Aaron
On Sun, Jun 09, 2002 at 07:09:32PM -0500, Gregory Nowak wrote:
> Hi all,
> 
> I've noticed a small number of entries like the one below in my /var/log/apache/access_log file. In the below sample, "x.x.x.x" represents the ip address.
> 
> 
> x.x.x.x - - [09/Jun/2002:18:54:52 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 334
> 
> 
> Is someone or actually a group of people trying to compromise my web server? Is it possible to tell from the above log entry  how they are trying to compromise apache? Thanks.
> Greg
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
     +----------------------------------------------------------+
    /             |\      _,,,---,,_                           /|
   /              /,`.-'`'    -.  ;-;;,_                      / |
  /              |,4-  ) )-,_. ,\ (  `'-'                    /  |
 /             '---''(_/--'  `-'\_)                         /   |
+----------------------------------------------------------+    |
| Aaron Howell                  Kitten Internet            |    |
| aaron at kitten.net.au           Internet consultancy,      |    |
| Phone: +61-417-625550         System administration,     |    |
| fax: +61-7-36010099           system design/integration. |    |
| icq: 6715521                  http://www.kitten.net.au   |    |
|                                                          |    |
|                                                          |    +
|                                                          |   /
|                                                          |  /
|                                                          | /
|                                                          |/
+----------------------------------------------------------+







More information about the Speakup mailing list