Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Wierd server log file entry...


spdracer22

Recommended Posts

What is this?

 

I was looking through my logfile and came across this pair of entries...and the pair appears more than just once. Every few days, seemingly randomly, there is an entry exactly like this. To me, it looks like whatever it is tries to create some sort of overflow and then upload a *.dll to what looks to me like a directory used by MS Frontpage. My server is Linux/Apache/MySQL running osC MS2.2. According to showmyip.com, the requests are coming from Seoul, S. Korea.

 

Any thoughts? I have blocked the ip, but are there any other precautions I should take??

 

Thanks for the help,

 

-spd

 

 

from the log file:

 

210.222.242.9 - - [13/Jun/2005:08:50:12 -0700] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\<snip>#

 

[EDIT] removed complete logging entry for clarity (now that the problem is known)

Link to comment
Share on other sites

Yes, you can not be harmed by such an exploit.

Have not read the Google link but it is probably another infected machine attacking you.

 

Or seriously dumb wannabe's that target *nix machines with MS exploits :D

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

What is this?

 

I was looking through my logfile and came across this pair of entries...and the pair appears more than just once. Every few days, seemingly randomly, there is an entry exactly like this. To me, it looks like whatever it is tries to create some sort of overflow and then upload a *.dll to what looks to me like a directory used by MS Frontpage. My server is Linux/Apache/MySQL running osC MS2.2. According to showmyip.com, the requests are coming from Seoul, S. Korea.

 

Any thoughts? I have blocked the ip, but are there any other precautions I should take??

 

Thanks for the help,

 

-spd

from the log file:

 

210.222.242.9 - - [13/Jun/2005:08:50:12 -0700] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\<snip>#

 

[EDIT] removed complete logging entry for clarity (now that the problem is known)

 

for your convenience use this kind as your log definition :

 

LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

the \"%!414r\ part will prevent logging of this kind of stuff. That is, it does not log if the rquest is too long and these are very long.

Otherwise, eventhough they cannot harm you, they do tend to fill up your log files very rapidly.

Treasurer MFC

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...