Re: Unknown entry in Apache log

From: David (davidwnh_at_adelphia.net)
Date: 08/31/03


Date: Sun, 31 Aug 2003 18:34:49 GMT

It looks like assembly code that is probably meant to try to exploit some
buffer overflow or other vulnerability known in specific versions of a
webserver on a specific OS platform. Might be from a canned script or
specifically targeted. Do you have any other log entries which might
indicate someone trying to fingerprint the machine or webserver? Or is this
seemingly random?

Your server returned a 400 error so by itself this is not a problem. If you
find more evidence that this IP is fingerprinting or trying a variety of
exploits you can always filter the IP address. In any case keep the server
up to date and do some research on this type of exploit. There are some
precautions you can take in addition to os and application patches to
further protect your system from these types of exploits.
>>
>> 200.154.128.74 - - [24/Aug/2003:18:50:39 -0400]
>> "\x92X\xf1\xef\xeb\xdf4\x86\b\t X" 400 -
>>



Relevant Pages