From owner-freebsd-questions Sat Aug 4 17:23:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls20.mediaone.net (chmls20.mediaone.net [24.147.1.156]) by hub.freebsd.org (Postfix) with ESMTP id 79B4637B401 for ; Sat, 4 Aug 2001 17:23:05 -0700 (PDT) (envelope-from leblanc@smtp.ne.mediaone.net) Received: from canada.acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189]) by chmls20.mediaone.net (8.11.1/8.11.1) with ESMTP id f750N0B24669 for ; Sat, 4 Aug 2001 20:23:00 -0400 (EDT) Received: (from leblanc@localhost) by canada.acadia.ne.mediaone.net (8.11.5/8.11.5) id f750Isr30742 for questions@FreeBSD.ORG; Sat, 4 Aug 2001 20:18:54 -0400 (EDT) (envelope-from leblanc) Date: Sat, 4 Aug 2001 20:18:50 -0400 From: Louis LeBlanc To: questions@FreeBSD.ORG Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <20010804201849.A30510@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.3.20i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit I got about 100 of these sent to my webmaster account as 404 warnings before deciding to just block ports 80 and 443 for now. It's gotten to be a pain in the ass. Looks like M$ bugs us *nix enthusiasts even if we avoid them altogether :( Check out the message I've attached, it shows pretty much the same request. I'm afraid to look at all the port 80 denials I'll be showing in my logs now! Lou On 08/04/01 12:23 PM, Jon Loeliger sat at the `puter and typed: > Folks, > > I see a large number of httpd requests that look like this: > > 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= > a HTTP/1.0" 400 316 "-" "-" > > in my httpd access logs. This just smells like an attemtped buffer > over run exploit at work. > > Anyone recognize it and know anything about it? Should I be worried? > I'm running a current (right out of Ports) Apache here. > > Thanks, > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ management, n.: The art of getting other people to do all the work. --dDRMvlgZJXvWKvBx Content-Type: message/rfc822 Content-Disposition: inline X-Sieve: cmu-sieve 2.0 Return-Path: Received: (from nobody@localhost) by acadia.ne.mediaone.net (8.9.3/8.9.3) id KAA02193; Sat, 4 Aug 2001 10:03:37 -0400 Date: Sat, 4 Aug 2001 10:03:37 -0400 Message-Id: <200108041403.KAA02193@acadia.ne.mediaone.net> To: webmaster@acadia.ne.mediaone.net Subject: 404 Error Report From: webmaster@acadia.ne.mediaone.net Reply-To: webmaster@acadia.ne.mediaone.net X-Mailer: PHP/4.0.4 404 Error Report A 404 error was encountered by 65.96.250.172 on 8/4/2001 at 10:3. The URI which generated the error is: http://acadia.ne.mediaone.net/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a The referring page was: --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message