Re: Strange log in Apache after webdav-like exploit

• Previous message: Frank Knobbe: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"
• In reply to: Sebastien Millet: "Strange log in Apache after webdav-like exploit"
• Next in thread: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Reply: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: Wed, 14 Jul 2004 14:37:26 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Jul 2004 10:42, Sebastien Millet wrote:
> Today i had two of these in my access_log :
>
> xx.xx.xxx.xx - - [12/Jul/2004:22:29:32 +0200] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
> (...)
> \xb1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
> 90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
> (...)
>
> So far, it's the classical webdav exploit, but the end is quite
> strange :
>
> (...)
> \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90me - west British
> Columbia</option><option value=\"America/ Whitehorse\"
>
> >Canada/Whitehorse Pacific Time - south Yukon</option><option
> >value=\"America/Winnipe
>
> g\" >Canada/Winnipeg Central Time - Manitoba & west
> Ontario</option><option value=\"America/Yellow knife\"
>
> >Canada/Yellowknife Mountain Time
I got a spate of these a while back, but haven't noticed them for a while. The
content of the non-encoded part of the request tended to be a piece of HTML
that was located somewhere on the site (although, now you mention it, it is
quite likely to have been something generated with PHP). I checked to see if
the same IP addresses had accessed anything else on the site, perhaps having
the content in a buffer or something, but that came back negative. I ended up
not getting any further with it, got busy, and forgot about it. Didn't
consider it could be an apache issue.

Anyway, I would have seen it on around apache versions 2.0.47-ish. I haven't
noticed it on 2.0.50 (I still get the \0x90 parts, but not the content at the
end.) PHP version around 4.3.7. I could do a more comprehensive look at when
I saw what in the logs versus what versions of apache and PHP I was running
at the time, if deemed useful.

- --
Robin <robin@kallisti.net.nz> JabberID: <eythian@jabber.org>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0x776DB663 = DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA9JxuzTjgendttmMRApeDAKCTBy1Icy+OEDWZjkVXJQc7AX9KGQCgjeSp
bchTt12MV24ddwiM+GLLrB4=
=sUAh
-----END PGP SIGNATURE-----

• Previous message: Frank Knobbe: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"
• In reply to: Sebastien Millet: "Strange log in Apache after webdav-like exploit"
• Next in thread: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Reply: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]