 |
 |
Did someone attempt to hack my machine?
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2003
Location: ~/
Status:
Offline
|
|
I have a MacOS X 10.3.3 (client) machine at work acting as a webserver.
Today, I found a 32,760 character request string in my httpd access logs. The access attempt was made at 11:16pm on 3/22. It was the only request of its kind.
The request consisted of repeating strings of "\x90\x02\xb1\x02\xb1\x02\xb1\x02\" and "\x90\x90\x90\x90\x90\x90".
Is this someone's attempt at creating a buffer overflow error?
Fortunately, OS X simply recorded a "request failed: URI too long" error and continued about its business.
BTW,
I get requests like this as well periodically: "GET / HTTP/1.1" 200 397
but I understand these are blind attempts at access by virus-infected "zombie" PCs and that these requests are a widespread phenomenon.
I also enjoy seeing requests for this periodically as well: "/Library/WebServer/Documents/scripts/..%5c%5c../winnt/system32/cmd.exe"
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
What HTTP method was used at the time? I've seen WebDAV exploits containing strings like \x90\x90\x90\x90\x90\x90.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Sep 2003
Location: Pittsburgh, Pennsylvania
Status:
Offline
|
|
Originally posted by Cadaver:
I have a MacOS X 10.3.3 (client) machine at work acting as a webserver.
Today, I found a 32,760 character request string in my httpd access logs. The access attempt was made at 11:16pm on 3/22. It was the only request of its kind.
The request consisted of repeating strings of "\x90\x02\xb1\x02\xb1\x02\xb1\x02\" and "\x90\x90\x90\x90\x90\x90".
Is this someone's attempt at creating a buffer overflow error?
Fortunately, OS X simply recorded a "request failed: URI too long" error and continued about its business.
BTW,
I get requests like this as well periodically: "GET / HTTP/1.1" 200 397
but I understand these are blind attempts at access by virus-infected "zombie" PCs and that these requests are a widespread phenomenon.
I also enjoy seeing requests for this periodically as well: "/Library/WebServer/Documents/scripts/..%5c%5c../winnt/system32/cmd.exe"
someone was trying to send you byte-code, probably in an attempt to overflow a buffer. If the byte code was x86 then you're fine, but if it was aimed at a PPC flaw you might have a problem. Make sure there are no outstanding security patches for your machine and the services you have open to the internet on it.
nt
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top
