Re: [security-elvandar] "access_log?hello" ?

From: Remko Lodder (remko_at_elvandar.org)
Date: 07/27/03

  • Next message: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
    Date: Sun, 27 Jul 2003 20:36:51 +0200
    To: Christine Kronberg <Christine_Kronberg@genua.de>
    
    

    Hi,

    I dont recognise this as a particular script that is running against
    your host.
    Although it could be a custom made script that just sends a lot of
    characters (or a lot of hello's)
    to your host, trying to overflow it.

    My best guess is that it's the overflow option,
    But i am interested now.. so when anyone else has a opinion...

    Cheers

    Kind regards,

    Remko Lodder

    Christine Kronberg wrote:

    > Hi,
    >
    >
    > Checking the logfiles of my private webserver this morning I
    > see the following entries.
    > It looks lile some playchild tried an buffer overflow but I
    > don't remember seeing anything connected to access_log files.
    > Google didn't help. Has anyone else this kind of requests?
    > Or an idea what the result of this request should be?
    >
    >12.221.111.178 - - [25/Jul/2003:12:40:29 +0200] "HEAD
    >/logs/access_log?hellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohello
    >HTTP/1.0" 404 -
    >12.221.111.178 - - [25/Jul/2003:12:40:29 +0200] "HEAD
    >/logs/active/access_log?hellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohello
    >HTTP/1.0" 404 -
    >12.221.111.178 - - [25/Jul/2003:12:40:30 +0200] "HEAD
    >/access_log?hellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohellohello
    >HTTP/1.0" 404 -
    >
    > Cheers,
    >
    >
    > Chris Kronberg.
    >
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"

    Relevant Pages

    • Re: [security-elvandar] "access_log?hello" ?
      ... > I dont recognise this as a particular script that is running against ... > to your host, trying to overflow it. ... in the /logs/active/ I see no mention of any compromises in thier site. ...
      (Incidents)
    • Re: internet proxy
      ... Is it possible to create separate shortcuts to IE - one with 'proxy server ... This script gets used when you enable the "Automatically ... connect to the host so no proxy would get used. ...
      (microsoft.public.windowsxp.general)
    • Re: How do I insert a cgi script into Publisher page?
      ... is not where I host my website. ... If your ISP supports cgi and has a form handling program then a form ... You must tell the server what e mail address you want the form results ... any where else you so desire or an auto redirect script with a delay. ...
      (microsoft.public.publisher.webdesign)
    • Re: Setting new date with offset in days
      ... run (or host) the script. ... WSH which can run both JScript and WScript. ... Isn't WScript the windows program ... It seems that JavaScript or JScript is best used in a web ...
      (comp.lang.javascript)
    • Re: SAFE MODE,fopen, and chmod
      ... The files going into the users/ folder are created by the "apache" user. ... I have a free php hosting account with an account name 'sample'. ... The host is "running in SAFE MODE", where, it seems that for fopen, mkdir and many other functions, a check is done for the UID of the script-running process to be the same as the UID of each resource concernedand only if the UIDs match, is the function allowed to work successfully. ... The same script has in the prior lines created the directory ...
      (comp.lang.php)