Can it be considered a possible way to circumvent apache security by sending the server a super long request to attempt to overflow a buffer? I have had this turn up in my access log:
24.127.135.213 - - [28/Mar/2007:18:09:25 +0930] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 406 280 "-" "-"
24.127.135.213 - - [28/Mar/2007:18:09:26 +0930] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04...
This x04H pattern repeats for about 3 pages worth and is all part of a url requested from my server and terminates with the same as above.
This was in my error log:
[Wed Mar 28 18:09:25 2007] [error] [client 24.127.135.213] mod_security: Access denied with code 406. Pattern match "^$" at HEADER("USER-AGENT") [severity "EMERGENCY"] [hostname "mechdaves.broadband.hostname.from.isp"] [uri "/_vti_bin/_vti_aut/fp30reg.dll"]
[Wed Mar 28 18:09:26 2007] [error] [client 24.127.135.213] request failed: URI too long (longer than 8190)
To me it seems like some sort of probe to find a weak windows machine (see the windows dll name). Any ideas?
Cheers,
Mechdave
A quick google shows that those are IIS related exploits, so you may assume a warm smug feeling
The second error log entry suggests that your web server has got that type of buffer overflow attempt covered. The first one is interesting as a pattern match of ^$ suggests a blank user agent - ie the program making the request does not even pretend to be any particular browser, which apparently your web server protects against.
Posting Permissions
Reply With Quote
Bookmarks