Re: strange logs
From: Dave Dearinger (daved_at_mdon-line.com)
Date: 07/09/04
- Previous message: Dave Dearinger: "Re: Info HIDS"
- In reply to: jpc: "strange logs"
- Next in thread: flurdoing: "Re: strange logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 09 Jul 2004 11:44:23 -0700 To: security-basics@securityfocus.com
from: http://www.httpsniffer.com/http/100415.htm
10.4.15 414 Request-URI Too Long
The server is refusing to service the request because the Request-URI is
longer than the server is willing to interpret. This rare condition is only
likely to occur when a client has improperly converted a POST request to a
GET request with long query information, when the client has descended into
a URI "black hole" of redirection (e.g., a redirected URI prefix that
points to a suffix of itself), or when the server is under attack by a
client attempting to exploit security holes present in some servers using
fixed-length buffers for reading or manipulating the Request-URI.
-Dave Dearinger
-Network Administrator
-MD-Online Inc.
-daved@mdon-line.com
-1-888-397-3434
=============================
Email Confidentiality Notice: The information contained in this
transmission is confidential, proprietary or privileged and may be subject
to protection under the law, including the Health Insurance Portability and
Accountability Act (HIPAA). The message is intended for the sole use of the
individual or entity to whom it is addressed. If you are not the intended
recipient, you are notified that any use, distribution or copying of the
message is strictly prohibited and may subject you to criminal or civil
penalties. If you received this transmission in error, please contact the
sender immediately by replying to this email and delete the material from
any computer.
At 07:18 PM 7/8/2004 -0400, jpc wrote:
>Has anyone seen this error (see below)in the apache log.
>It appears someone is trying to mess with my server.
>Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may
>be two
>different people I guess.
>The first ip is using the same provider as I am. My IP was 69.209.152.xxx at
>the time.
>This has been happening since the 4th.
>Any ideas? I googled the error message and couldn't find much.
>
>Here is some info on the ip's
>
>nmap 69.209.152.51
>
>Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
>at 2004-07-08 15:54 EDT
>Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net
>(69.209.152.51):
>(The 1650 ports scanned but not shown below are in state: closed)
>PORT STATE SERVICE
>113/tcp open auth
>135/tcp filtered msrpc
>139/tcp filtered netbios-ssn
>445/tcp filtered microsoft-ds
>559/tcp open teedtap
>1025/tcp filtered NFS-or-IIS
>5000/tcp open UPnP
>
>
>nmap 69.192.139.207
>
>Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
>at 2004-07-08 16:04 EDT
>Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com
>(69.192.139.207):
>(The 1642 ports scanned but not shown below are in state: closed)
>PORT STATE SERVICE
>80/tcp open http
>113/tcp open auth
>135/tcp filtered msrpc
>137/tcp filtered netbios-ns
>138/tcp filtered netbios-dgm
>139/tcp filtered netbios-ssn
>445/tcp filtered microsoft-ds
>641/tcp open unknown
>665/tcp open unknown
>1025/tcp open NFS-or-IIS
>1080/tcp filtered socks
>1214/tcp open fasttrack
>1434/tcp filtered ms-sql-m
>3531/tcp open peerenabler
>5000/tcp open UPnP
>
>
>I went to the site 69.192.139.207 with my browser and a blank page appeared.
>There seems to be a web server running on it. So I tried this...
>
>telnet 69.192.139.207 80
>Trying 69.192.139.207...
>Connected to 69.192.139.207.
>Escape character is '^]'.
>GET index.htm
>HTTP/1.0 501 Not Implemented
>X-Kazaa-Username: Babie_Gurl
>X-Kazaa-Network: KaZaA
>X-Kazaa-IP: 69.192.139.207:2692
>X-Kazaa-SupernodeIP: 69.70.73.172:2215
>
>Who the hell is Babie_Gurl??? :)
>
>
>
>
>
>
>
>root@www:/var/log/apache# tail -f error_log | grep -v 'x90'
>
>[Thu Jul 8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
>too long
>[Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>
>root@www:/var/log/apache# tail -f error_log | grep -v 'x90'
>[Thu Jul 8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
>too long
>[Thu Jul 8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI
>too long
>[Thu Jul 8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI
>too long
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Dave Dearinger: "Re: Info HIDS"
- In reply to: jpc: "strange logs"
- Next in thread: flurdoing: "Re: strange logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
