spdracer22 Posted June 16, 2005 Posted June 16, 2005 What is this? I was looking through my logfile and came across this pair of entries...and the pair appears more than just once. Every few days, seemingly randomly, there is an entry exactly like this. To me, it looks like whatever it is tries to create some sort of overflow and then upload a *.dll to what looks to me like a directory used by MS Frontpage. My server is Linux/Apache/MySQL running osC MS2.2. According to showmyip.com, the requests are coming from Seoul, S. Korea. Any thoughts? I have blocked the ip, but are there any other precautions I should take?? Thanks for the help, -spd from the log file: 210.222.242.9 - - [13/Jun/2005:08:50:12 -0700] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\<snip># [EDIT] removed complete logging entry for clarity (now that the problem is known)
Iggy Posted June 16, 2005 Posted June 16, 2005 Google is your friend. http://www.google.com/search?client=safari...=UTF-8&oe=UTF-8 "The RS_IIS.C exploit will produce a similar log entry to the one below." Iggy Everything's funny but nothing's a joke...
spdracer22 Posted June 17, 2005 Author Posted June 17, 2005 Since I'm not running IIS, I should be ok, right? Thanks -spd
mattice Posted June 17, 2005 Posted June 17, 2005 Yes, you can not be harmed by such an exploit. Have not read the Google link but it is probably another infected machine attacking you. Or seriously dumb wannabe's that target *nix machines with MS exploits :D "Politics is the art of preventing people from taking part in affairs which properly concern them"
boxtel Posted June 17, 2005 Posted June 17, 2005 What is this? I was looking through my logfile and came across this pair of entries...and the pair appears more than just once. Every few days, seemingly randomly, there is an entry exactly like this. To me, it looks like whatever it is tries to create some sort of overflow and then upload a *.dll to what looks to me like a directory used by MS Frontpage. My server is Linux/Apache/MySQL running osC MS2.2. According to showmyip.com, the requests are coming from Seoul, S. Korea. Any thoughts? I have blocked the ip, but are there any other precautions I should take?? Thanks for the help, -spd from the log file: 210.222.242.9 - - [13/Jun/2005:08:50:12 -0700] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\<snip># [EDIT] removed complete logging entry for clarity (now that the problem is known) <{POST_SNAPBACK}> for your convenience use this kind as your log definition : LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined the \"%!414r\ part will prevent logging of this kind of stuff. That is, it does not log if the rquest is too long and these are very long. Otherwise, eventhough they cannot harm you, they do tend to fill up your log files very rapidly. Treasurer MFC
spdracer22 Posted June 17, 2005 Author Posted June 17, 2005 Thanks to everyone for helping me out! I'm definitely more at ease now! :D -spd
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.