Help - Search - Members - Calendar
Full Version: Is this a overlow?
The Planet Forums > Security > General Security > UNIX Security
thedude
Oct 9 2006, 06:38 PM
Just kinda curious if this is an attempt to overlow a app, or apache.

Saw this while looking through access_log for apache

CODE
70.178.141.212 - - [26/Dec/2005:18:00:56 -0600] "SEARCH /x90x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb

1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x
02xb1x02xb1x02xb1x0

2xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02xb1x02x
b1x02xb1x02xb1x02xb


I know this was Dec of 05, but i'm curious if that is a attempted overlow, so I know what to look for next time if I have to.

It continues much longer in the log, I'd say for a good 100+ more lines.
TheUniverses
Oct 9 2006, 08:00 PM
http://lists.sans.org/pipermail/list/2003-...ber/012720.html

Buffer overflow?
thedude
Oct 9 2006, 09:14 PM
thats kinda what I was thinking, it never took anything down though.
Matt2k
Oct 10 2006, 07:21 AM
It's a buffer overflow. If you look at the full SANS message, you can see the NOP slide. Although I doubt it would do anything. There doesn't seem to be a payload, and the values aren't URL encoded. The worst it would do is crash something.
kfukasawa
Oct 10 2006, 08:56 AM
Nothin like smashing the stack. icon_smile.gif
thedude
Oct 10 2006, 11:14 AM
I've never really checked my access logs its amazing how many attempts I see at exploiting CGI, RPC, PHP scripts etc.

Its a Linux box, and its funny seeing stuff like

CODE
/search?NS-query-pat=................winntwin.ini HTTP/1.1" 404 -



Last time I checked, thers no win.ini on a RHEL box icon_razz.gif

Thought this one was kinda funny.

CODE
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335


I'm glad I payed to have my box hardened, and all the webservers / software hardened.
TheUniverses
Oct 11 2006, 12:15 AM
Good old mod_security, catches tons of these things on my server.
xenneo
Oct 24 2006, 04:46 AM
I know this is a very very late reply... but mod_security is an excellent tool! icon_smile.gif for those of you that need a good rule set I reccomend these:

http://www.gotroot.com/tiki-index.php?page..._security+rules

that doesnt cover everything, but will help you get started.

hope that helps some of you icon_smile.gif
TheUniverses
Oct 24 2006, 11:02 AM
Yea, it is a great application firewall.
They just released 2.0 and I'm actually in the process of upgrading from 1.9.
doc
Oct 24 2006, 02:05 PM
How do I check my access logs?

Also is there a script to install mod_security like ELS or APF? Those were simple because they had the root commands already written out for uber noobs like myself.

*edited - figured out the access logs. Logged into SSH

cd /usr/local/apache/logs
cat access_logs

that did the trick. Still need help with mod_security.
TheUniverses
Oct 24 2006, 05:30 PM
Take a look at this (guide on installing/config mod sec):
http://www.gotroot.com/tiki-index.php?page...of+mod_security

Mod security creates audit_log files in that folder (where you apache logs to, for me its /var/log/httpd/).
xenneo
Oct 24 2006, 06:49 PM
Also if you have it set up through cPanel it has a nice page that shows you a part of the log.
gbock
Oct 24 2006, 09:12 PM
QUOTE (kfukasawa)
Nothin like smashing the stack.   icon_smile.gif


Why oh why did I think of "stashing the smack" when I read that? icon_razz.gif

Yay for dyslexia.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.