Latest visitors URL /\x90\x02\xb1\x02\xb1\

[bankert]

I have no idea what this is and was wondering if someone might be able to inform me.

For about the past month my "Latest Visitor" page has been filled with "visits" to the following URL which continues for about 50 Page downs

/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1. . .
etc. etc. for about 50 page downs
and ending with
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90"
Host: 69.73.42.222 (varies)
Http Code : 343
Date: Apr 06 00:39:20
Http Version: 414
Size in Bytes: "-"
Referer: -

No idea what this is. I've been here for over 2 years and I never saw this up until about a month ago.

Thanks,
Norb
www.bankert.org

[Vin DSL]

It's shellcode. If this is the one I'm thinking about, it's an old NT4 DCOM exploit that's been revived. Actually, it's part of a reverse shellcode generator, but it only works remotely on W2K/XP servers.

As far as *NUX servers are concerned, it appears that hackers are also trying to use this to cause string overflows in form inputs, such as search boxes and logins. To my knowledge, they haven't been successful at this, other than to fill your logs with pages full of nonsense.

If you're tired of seeing it in your logs, ban the offending IP[s].

[Vin DSL]

Here you go...

http://securityresponse.symantec.com...chia.worm.html

[lokki]

Thanks for the link, Vin

[Vin DSL]

My pleasure!

[tuxxer]

Originally posted by Vin DSL

If you're tired of seeing it in your logs, ban the offending IP[s].

I just did that , what are the odds , that its some poor shmuck that had his dsl or cable account hacked.

Not that it matters a whole hill of beans , just curious.

Tux