Welcome to the JaguarPC Community
JaguarPC
Sales: (888) 338-5261
Support: (888)-551-3050
Results 1 to 8 of 8

This is a discussion on SEARCH - DOS Attack ? in the Shared & Semi-Dedicated forum
I have a bunch of the following in my logs (I trimmed it because it was 32k long). Is it a DOS attack or something ...

  1. 04-02-2004, 06:54 AM #1
    GivenRandy
    GivenRandy is offline
    JPC Addict
    Join Date
    Nov 2001
    Posts
    121

    SEARCH - DOS Attack ?

    I have a bunch of the following in my logs (I trimmed it because it was 32k long). Is it a DOS attack or something else?

    "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\
    ...
    \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90" 414 341 "-" "-"
    Reply With Quote Reply With Quote
  2. 04-02-2004, 08:07 AM #2
    jason
    jason is offline
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    6,003
    Not a DOS attack...it looks like someone is trying to cause a buffer overrun. That's a situation where someone tries overload part of the server's memory, causing it to open a hole where they can do whatever they want with the system. These kinds of things can happen on any system, but these types of attacks are most common on Windows. In this case it is probably someone trying to exploit a hole in Window's Internet Information Server. These types of attacks are usually done en masse with a script that tries random IP addresses and/or domain names harvested from search engines or whatnot. More than likely it is nothing to worry about.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com
    Reply With Quote Reply With Quote
  3. 04-02-2004, 01:24 PM #3
    Vin DSL
    Vin DSL is offline
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,775
    It's shellcode - an automated exploit probably. Just ignore it. It's JagPC's problem, not yours.

    I'll point Tech Support to this thread...
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL © 2010
    Reply With Quote Reply With Quote
  4. 04-02-2004, 01:37 PM #4
    Vin DSL
    Vin DSL is offline
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,775
    Never mind...

    I looked it up on my favorite scumbag hacker hangout. That an old NT4 with DCOM exploit that's been revived. Actually, it's part of a reverse shellcode generator, but it only works remotely on W2K/XP, so JagPC is safe.

    If you're tired of seeing it in your logs, ban the offending IP[s].
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL © 2010
    Reply With Quote Reply With Quote
  5. 04-12-2004, 07:45 AM #5
    GivenRandy
    GivenRandy is offline
    JPC Addict
    Join Date
    Nov 2001
    Posts
    121
    Thanks!
    Reply With Quote Reply With Quote
  6. 04-12-2004, 07:47 AM #6
    GivenRandy
    GivenRandy is offline
    JPC Addict
    Join Date
    Nov 2001
    Posts
    121
    p.s., the IP address is constantly changing, probably by spoofing, so banning it may not be effective.
    Reply With Quote Reply With Quote
  7. 04-12-2004, 11:32 AM #7
    requestcode
    requestcode is offline
    JPC Senior Member
    Join Date
    Oct 2002
    Posts
    66
    I have also been getting the same thing now for over a week.
    Reply With Quote Reply With Quote
  8. 04-15-2004, 11:48 AM #8
    Joshua Clinard
    Joshua Clinard is offline
    Aletia Customer
    Join Date
    Oct 2001
    Posts
    631
    I've been seeing that in my logs for more than a month now.
    Widescreen Advocate | The Walt Disney Resource | Joshua's Place | thesoundofmusic.net
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules