Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > Did someone attempt to hack my machine?

Did someone attempt to hack my machine?
Thread Tools
Cadaver
Addicted to MacNN
Join Date: Jan 2003
Location: ~/
Status: Offline
Reply With Quote
Mar 23, 2004, 02:12 PM
 
I have a MacOS X 10.3.3 (client) machine at work acting as a webserver.
Today, I found a 32,760 character request string in my httpd access logs. The access attempt was made at 11:16pm on 3/22. It was the only request of its kind.
The request consisted of repeating strings of "\x90\x02\xb1\x02\xb1\x02\xb1\x02\" and "\x90\x90\x90\x90\x90\x90".
Is this someone's attempt at creating a buffer overflow error?
Fortunately, OS X simply recorded a "request failed: URI too long" error and continued about its business.

BTW,
I get requests like this as well periodically: "GET / HTTP/1.1" 200 397
but I understand these are blind attempts at access by virus-infected "zombie" PCs and that these requests are a widespread phenomenon.

I also enjoy seeing requests for this periodically as well: "/Library/WebServer/Documents/scripts/..%5c%5c../winnt/system32/cmd.exe"
     
kampl
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status: Offline
Reply With Quote
Mar 23, 2004, 08:34 PM
 
What HTTP method was used at the time? I've seen WebDAV exploits containing strings like \x90\x90\x90\x90\x90\x90.
     
Partisan01
Dedicated MacNNer
Join Date: Sep 2003
Location: Pittsburgh, Pennsylvania
Status: Offline
Reply With Quote
Mar 27, 2004, 03:29 PM
 
Originally posted by Cadaver:
I have a MacOS X 10.3.3 (client) machine at work acting as a webserver.
Today, I found a 32,760 character request string in my httpd access logs. The access attempt was made at 11:16pm on 3/22. It was the only request of its kind.
The request consisted of repeating strings of "\x90\x02\xb1\x02\xb1\x02\xb1\x02\" and "\x90\x90\x90\x90\x90\x90".
Is this someone's attempt at creating a buffer overflow error?
Fortunately, OS X simply recorded a "request failed: URI too long" error and continued about its business.

BTW,
I get requests like this as well periodically: "GET / HTTP/1.1" 200 397
but I understand these are blind attempts at access by virus-infected "zombie" PCs and that these requests are a widespread phenomenon.

I also enjoy seeing requests for this periodically as well: "/Library/WebServer/Documents/scripts/..%5c%5c../winnt/system32/cmd.exe"

someone was trying to send you byte-code, probably in an attempt to overflow a buffer. If the byte code was x86 then you're fine, but if it was aimed at a PPC flaw you might have a problem. Make sure there are no outstanding security patches for your machine and the services you have open to the internet on it.

nt
Apple iBook, B&W, Quadra 660, PowerMac 6100
Sun Netra T1, Ultra 1, Javastation
http://natetobik.mine.nu:81
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 02:27 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,