Re: I think I've been cracked, please check out.

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 02/22/03

  • Next message: David: "Re: I think I've been cracked, please check out."
    From: unruh@string.physics.ubc.ca (Bill Unruh)
    Date: 22 Feb 2003 04:11:05 GMT
    
    

    Amir Hardon <hardon*antispam-remove*@actcom.co.il> writes:

    ]I have apache 1.3.27 on an up to date redhat machine.
    ]I found the following line in my apache access_log:
    ]165.76.68.202 - - [18/Feb/2003:13:54:19 +0200] "GET
    ]/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    ]HTTP/1.0" 400 326 "-" "-"

    ]I sent a similar request and that was it's log:

    ]127.0.0.1 - - [21/Feb/2003:23:58:07 +0200] "GET
    ]/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u6858%25ucbd3%25u7801%25u9090%25u9090%25u8190%25u00c3%25u0003%25u8b00%25u531b%25u53ff%25u0078%25u0000%25u00=a
    ]HTTP/1.0" 404 279 "-" "Wget/1.8.2"

    ]Note that the original request has responded by a 400 error and my request
    ]was responded with a 404,
    ]another wierd thing is that the original requests do not got into the
    ]error_log!
    ]I haven't found any CVE about such exploit...
    ]The only diffrence that can be between the requests is a diffrent header.
    ]Have I been cracked? (My network connection is very slow lately and I am a
    ]bit worried) communication has become very slow).

    KLEZ -- attempting to do a buffer overflow attack on a Microsoft Web
    server. Do yourun a Microsoft web server? If not, do not worry.



    Relevant Pages

    • [TOOL] Blowchunks - Protecting Existing Apache Servers Until Upgrades Arrive
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a known vulnerable apache server until they can ... on HTTP "request" messages. ... Attached are a two versions of code to allow the server to intercept each ...
      (Securiteam)
    • Re: Apache and php to show http request headers.
      ... Apache/PHP on ubuntu to display the http request headers. ... application proxy forwards http requests to the apache server's IP ... I have a php script to dump the headers as follows: ...
      (comp.lang.php)
    • [UNIX] Apache HTTP Server 413 Error Page XSS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apache HTTP Server 413 Error Page XSS ... Apache 2.X returns a '413 Request Entity Too Large' error, ...
      (Securiteam)
    • Re: Apache and php to show http request headers.
      ... Apache/PHP on ubuntu to display the http request headers. ... where 192.168.40.1 is the apache server. ... I have a php script to dump the headers as follows: ...
      (comp.lang.php)
    • Re: Apache and php to show http request headers.
      ... Apache/PHP on ubuntu to display the http request headers. ... application proxy forwards http requests to the apache server's IP ... I have a php script to dump the headers as follows: ...
      (comp.lang.php)