PDA

View Full Version : Apahce2.0.52 attacks


yann domise
24th January 2005, 02:04 PM
Hi !
I've seen in my access.log file some strange HTTP requests. The requests method is "SEARCH" followed by numerals "0x90" on ten of ten lines !
I've tried to put the directive "<Limit SEARCH>...</LIMIT>" to avoid this kind of request, but not successfull.

Any solutions ?


Thanks,

Yann

andreac
24th January 2005, 02:23 PM
I've noticed it too in my log files, but i've also noticed that apache correctly responds with an error code (414 - URI too long). Perhaps it's a joke especially designed for IIS web servers?

yann domise
24th January 2005, 02:35 PM
Thanks for your reply !
I also think that someone is trying to find a security issue, but i'd like to ban those kind of request. Because i've wrote a php script that print the file in an HTML page. So, with such request, the script fails, because of too long string i think or the code "0x90" is interpreted by the php engine.
If you find something about this problem, reply my post. I continue looking for secutity patch to this problem !

Yann.

andreac
24th January 2005, 02:47 PM
You can ban the ip address with apache's mod_access. The problem is that you probably have many ip addresses and it's boring add these addresses manually in httpd.conf. Can't you, in your script, check the length of uri requests?

yann domise
24th January 2005, 03:09 PM
i don"t really want to ban the IP adresse, only the request, i'd like to allow those IP to access my webserver. And i agree: adding those ip manually would be very boring ;-)
In effect, i'll add some controls in my script !!

Thanks,
Yann.

james_in_denver
24th January 2005, 06:48 PM
Sounds like somebody is looking for an IIS buffer overflow exploit.....

yann domise
24th January 2005, 07:39 PM
Ok, confirmation that it was an attack... so i believed that was an apache attack !

Thank you. But any solution to solve this problem ? (ie: ban this type of request method)

Yann

blammo
25th January 2005, 12:19 AM
I don't think anybody *attacked* you specifically, but just someone scanning web ports looking for an in. It's even possible that the person who owns the computer that is originating the scans/exploits has no idea that it's happening due to a worm or similar. I wouldn't worry about it much unless it's affecting your network. I get plenty of these and others on my web servers, but because they'll all aimed at IIS, I really don't give it no mind. You can send off a complaint letter to the netblock owner if you want to.

Void Main
25th January 2005, 01:49 AM
I autoblock IP addresses with iptables based on certain query strings. I have a thread about the phpBB worm that was running around that has similar characteristics to what you are seeing. It might give you some ideas:

http://voidmain.is-a-geek.net/forums/viewtopic.php?t=1279

Belmopan Travel Photos - Koryazhma Photos - Banamba Travel Photos