Re: I think I've been cracked, please check out.

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 02/22/03

  • Next message: David: "Re: I think I've been cracked, please check out."
    From: unruh@string.physics.ubc.ca (Bill Unruh)
    Date: 22 Feb 2003 04:11:05 GMT
    
    

    Amir Hardon <hardon*antispam-remove*@actcom.co.il> writes:

    ]I have apache 1.3.27 on an up to date redhat machine.
    ]I found the following line in my apache access_log:
    ]165.76.68.202 - - [18/Feb/2003:13:54:19 +0200] "GET
    ]/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    ]HTTP/1.0" 400 326 "-" "-"

    ]I sent a similar request and that was it's log:

    ]127.0.0.1 - - [21/Feb/2003:23:58:07 +0200] "GET
    ]/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u9090%25u8190%25u00c3%25u0003%25u8b00%25u531b%25u53ff%25u0078%25u0000%25u00=a
    ]HTTP/1.0" 404 279 "-" "Wget/1.8.2"

    ]Note that the original request has responded by a 400 error and my request
    ]was responded with a 404,
    ]another wierd thing is that the original requests do not got into the
    ]error_log!
    ]I haven't found any CVE about such exploit...
    ]The only diffrence that can be between the requests is a diffrent header.
    ]Have I been cracked? (My network connection is very slow lately and I am a
    ]bit worried) communication has become very slow).

    KLEZ -- attempting to do a buffer overflow attack on a Microsoft Web
    server. Do yourun a Microsoft web server? If not, do not worry.