bizarre "Latest Users" logs...

[lokki]

I found a strange set of entries spanning 4 days in my "Latest Users" logs... the entries consist of huge strings in the URL identifier, but the strings don't appear to be valid URLs.

They are of the format "\x90" for several hundred/thousand repeats, then "\xb1\x02" for another few thousand... The sequences literally fill 2-3 scrolled screens, and the refering hosts are all different IPs.

Further, the http code is 353, but I haven't found a reference that defines this.

All other fields are null or blank... In total, there are I think 7 records that look like this, and the rest are normal, including some bogus CGI hits.

Any ideas? I've saved the HTML file if anyone would like to look at it.

Thanks!

[jason]

It looks like someone trying to exploid an old MS vulnerability byt trying to force a buffer overflow. I wouldn't worry about it, though, since most of those types of attacks are targeted at Windows servers and have no effect here.

--Jason

[lokki]

I ran the IPs and came up with Russia, China, Hungary, etc...

Glad I went with *nix hosting!

Thanks for the info, jason

[TeeJay]

I know I am safe but I'm getting a lot of 'em today. very very annoying

[Brian77]

Hi,

You can try it by adding ::

SetEnvIfNoCase Request_URI "^/\x90/" dontlog

In your .htaccess file and i hope it will works

[Connie]

Originally posted by TeeJay
I know I am safe but I'm getting a lot of 'em today. very very annoying

Not much you can do about it. Be glad your safe.

[JonathanB]

I can sympathize. I just downloaded my logs for April today and found a ton of those also.

What was annoying was when I tried to look through the logs in my text viewer with word wrap on.

Like the others said, at least we know we're safe from those attacks.

[d4rk]

[Brian77]

Hi,

You can add the following rules in your .htaccess file to prevent shell code logs ::

SetEnvIf Request_URI "GET" Log
SetEnvIf Request_URI "POST" Log
CustomLog /var/apache/logs/access_log common env=Log

This will log only your GET and POST http request (the shell code starts using the SEARCH request so it will not logged in your raw logs)

And if you are using your own dedicated server you can protect your servers using "iptables" ::

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"

"All the Best"

[lokki]

Thanks for that, Brian!

[Ron]

I really don't want to be the canary on this one.... will someone let us know if this approach works in reducing/eliminating those darn search entries, and if everything else gets properly logged?

Thanks

[Vin DSL]

Originally posted by Jpc-Brian
Hi,

You can add the following rules in your .htaccess file to prevent shell code logs ::

SetEnvIf Request_URI "GET" Log
SetEnvIf Request_URI "POST" Log
CustomLog /var/apache/logs/access_log common env=Log

Um... wouldn't you have to put those in the server conf?

[Vin DSL]

Originally posted by Ron
I really don't want to be the canary on this one.... will someone let us know if this approach works in reducing/eliminating those darn search entries, and if everything else gets properly logged?

Thanks

As far as I know, this is a bug in Apache which has never been addressed. 'Search' entries cannot be eliminated from the logs, no matter what you do. If you figure out a workaround, you will be world famous.