Re: [security-elvandar] "access_log?hello" ?

From: Remko Lodder (remko_at_elvandar.org)
Date: 07/28/03

  • Next message: Harlan Carvey: "Re: Is this enough to identify this by?" 
    Date: Mon, 28 Jul 2003 00:19:28 +0200
To: Salvatore Poliandro <jello@vanished.net>

    Hi,

    It could be an overflow attack to the access_log script which he/she
    believes exists.
    With that he might get access to some logging OR access to the webserver
    (executing commands as
    the webserver user) how he/she is going to do that, i don' know, but
    it's an option (:

    Also notice that it's a HEAD request instead of the normal GET/POST
    requests..
    perhaps that can give some more detail?
    Going to try and find something tommorrow (it's past twelve here) but
    have a busy schedule
    so dont promise anything

    Cheers 

    --
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene
Salvatore Poliandro wrote:
>-- OM--
>From: "Remko Lodder" <remko@elvandar.org>
>Subject: Re: [security-elvandar] "access_log?hello" ?
>  
>
>>I dont recognise this as a particular script that is running against
>>your host.
>>Although it could be a custom made script that just sends a lot of
>>characters (or a lot of hello's)
>>to your host, trying to overflow it.
>>
>>My best guess is that it's the overflow option,
>>But i am interested now.. so when anyone else has a opinion...
>>    
>>
>
>An Overflow to accomplish what? I see no shellcode in that string, Other
>then crashing the web server on the other end, what could be its use?  Could
>It be a tool to look in the log files of webservers for previous
>compromises? http://www.analog.cx/ creates the product that makes the logs
>in the /logs/active/ I see no mention of any compromises in thier site.
>
>Sal
>
>  
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Harlan Carvey: "Re: Is this enough to identify this by?"

    Relevant Pages

    • Re: C scripting (continued)
      ... Limited buffers could overflow ... Was the concern that buffers could overflow or that input sizes were ... I can still make the script delete my ...
      (comp.lang.c)
    • Re: [security-elvandar] "access_log?hello" ?
      ... I dont recognise this as a particular script that is running against ... to your host, trying to overflow it. ... My best guess is that it's the overflow option, ... Has anyone else this kind of requests? ...
      (Incidents)
    • Re: [security-elvandar] "access_log?hello" ?
      ... > I dont recognise this as a particular script that is running against ... > to your host, trying to overflow it. ... in the /logs/active/ I see no mention of any compromises in thier site. ...
      (Incidents)
    • arithmetic overflow issue, how do I turn checking off in a compiled code module?
      ... compiler = provider.CreateCompiler ... but my script fails with arithmetic overflows (it's a Perlin Noise ... dynamic script that my project compiles. ... How do I turn the overflow checking off for my compiled script? ...
      (microsoft.public.dotnet.languages.vb)