Re: Apache attacks
From: Micheal Cottingham (security_at_michealcottingham.com)
Date: 01/28/05
- Previous message: Paris E. Stone: "RE: RPC over HTTP security"
- In reply to: Bernie Johnson: "Re: Apache attacks"
- Next in thread: bernie_at_e-mich.com: "Re: Apache attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 20:42:53 -0500 To: Bernie Johnson <bernie@e-mich.com>
SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 ...
Did it look something like that? (noop sled follows somewhere in there).
If so, http://indrayam.com/archives/security/000239.php is what I found
a few days ago when I had a user asking for information on this. Seems
to be an IIS exploit making rounds again from 2003. Figured I might as
well do something resembling usefulness on this list as I too have been
a long time reader. :P
Bernie Johnson wrote:
>Kenny,
>
>Look at www.rfxnetworks.com and get APF, BFD and look at the other
>scripts there. This should od what you want and need.
>
>B. Johnson
>
>
>
>On Wed, 2005-01-26 at 15:56, Kenny wrote:
>
>
>>Hi List,
>>
>>Long time reader, first time poster...
>>
>>My server crashed yesturday and I had to restart it, to get it going
>>again. Now everything seems ok, however looking at my
>>/var/log/httpd/access_log.1 shows a visitor to the website posting some
>>big chunks of exploit code (containing a massive nop sled).
>>How do I know if this attacker actually got in or not?
>>
>>This is a redhat fedora core 2 box, and I would describe myself as an
>>"intermediate" linux user.
>>
>>Also, has anyone got any scripts that can detect attacks against apache
>>and ban the ip for a period of time?
>>
>>I will post the exploit on request.
>>
>>Thanks, Kenny
>>
>>
- Previous message: Paris E. Stone: "RE: RPC over HTTP security"
- In reply to: Bernie Johnson: "Re: Apache attacks"
- Next in thread: bernie_at_e-mich.com: "Re: Apache attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
