Curious HTTP GET commands ...
John Chambers
jc at trillian.mit.edu
Fri Aug 3 22:00:31 EDT 2001
My apache access_log shows a number of requests starting 19 July, all
from different IP addresses, that look like:
"GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0"
It's fairly obvious that something out there is trying to take
advantage of some soft of buffer overflow, though it doesn't seem to
be working. It just gets a "Client sent malformed Host header"
message in the errlog. This doesn't seem to be nearly enough bytes to
overflow a buffer, anyway, since I've seen valid URLs (with lots of
form params) that are much longer than this. And it doesn't seem to
have any effect at all on the apache 1.3.17 that I'm running. But
maybe it works with some servers. Anyone have any idea what attack
this might be? What is "default.ida"?
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list