|
Home > Archive > Web Servers on Unix and Linux > May 2004 > dos attack or something more evil?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
dos attack or something more evil?
|
|
|
| Our server has recently been hammered with the following - I'm not
sure if this is a dos attack or something a buffer overflow or other
attempt.
Example from access_log:
17-0 3201 0/24/24 _ 0.07 108 0 0.0 0.09 0.09 78.242.234.22
ourserver.com 0х�F%�.
Rr�~�$>�y]w樐A%�yة�^0>�߃
other requests:
dV 'ˑ��٥I)00<c B`�!b(*|V�j8Z�Gyߨԕ5X
�c"du4\UaV,tn} |�"^Qiv�M�EnY
just a lot of entries like this (about 1000 requests a seccond) from a
different set of changing IPs - all spoofed I presume.
and in error log:
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] request
failed: erroneous characters after protocol string:
2\xcb\xf6\x02\xe6\x10E\xfc\x83\xdb>Bar
\xe4\xdd\x14?\xba\x06\xdcW]\x99\xe9 w0\
xbc\" =\xb6\xe1\xcb9\x1e\xd2\xbfMT\x18o\xf5t\x
b3\xed\xcc;\xbc\xffR\xbbIr\xecR\x91\xb0,
\xdcQ\x95S(n\x7f\x14\xa9\xdb\xa4\x9bn\xb
d\xa9\xceT\xcdp\xd3{\xfe1\xd2\xf6a\xcc\xfc\xc7E]\xcc
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
in request ·|_øòMG1°·4s
«yS%:LC^O^U@7]~SW0«SCXj¤ó)ذl
^_>j½0^FqNj_^z^L^O¸/
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] request
failed: erroneous characters after protocol string: \xd1QL\x16\xf6L\\
h\x85F\xeb\xb1\xed\x80\"\x9e\xb0\xdeZC\x1f\xb5\xa2?\xedA[A\x
9fDJ\xcb>\xf0\xeb6O\x07\b\xf7\x05A\x8b
\xb4\xee\x91*\x89\xdc\xbf\xf1y{\xd9
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
in request . ^DT!ñd^GV]z^Ul^TúL^U_¦òcZ^R$
>l^\N#vY®N¹%%æP^Um
Gb¡^P \.²^X^Y\_"¥/it~O±^C«^ôL^X´çH3
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
method in request \xd7\xe5\xceH\xe7\xd6\xd3\xe92\xa6\x8c\x
8a53k\x9f\x1f8Md\xces
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
in request j¿1^T^E^^C\¤¿^Z½»ZSVóPû^W^\
ñµ!U^_¿ò& #123;³r6ESC5'½\K£èY¯3*´^Ktï
ESC
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
method in request \xe9\xec\x1f\xc2T\x9b\x81\x8eW\x9a\xa7\x
f0\xf7\xaf\xd2t\x9ee\xee\xa6\xb5T\xc4zt\
xa2q\xeb\xf9\xca\x17\xe3\x98\x9c
\xd2& #91;s\x86\xee\xc3J\x11W\xa4\x94\xaeP\x84
\xce\xb3h
[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
method in request =\xbc4\"\xcb\" \x16\x83\xd2\xd2\xfa:\xbf\x15U\xfcE`\x1b
\xf8\xa5\x83'\xaf-$\xdd\x06\xfel\x0e\x99\x13
Any ideas?
The server hosts several sites on the same IP - none seem too
controversial and we've had no anonymous notes threating anything.
You'd think if it was a DOS they might try to communicate as to WHO
they are trying to knock off line (?) - as much as we'd hate to cave
in we problably would. At this point we have no idea why this
particular box is being targetted.
The server is running apache 1.3.29 on RedHat Enterprise Linux 3
Thanks for any ideas!
| |
| Paul Rubin 2004-05-30, 10:48 am |
| hbeaumont@yahoo.com (none) writes:
> Our server has recently been hammered with the following - I'm not
> sure if this is a dos attack or something a buffer overflow or other
> attempt.
It's a new windows worm.
| |
|
| On 27 May 2004 22:26:22 -0700, none <hbeaumont@yahoo.com> wrote:
>Our server has recently been hammered with the following - I'm not
>sure if this is a dos attack or something a buffer overflow or other
>attempt.
>
>Example from access_log:
>
>17-0 3201 0/24/24 _ 0.07 108 0 0.0 0.09 0.09 78.242.234.22
>ourserver.com 0х�F%�.
>Rr�~�$>�y]w樐A%�yة�^0>�߃
>
>other requests:
>
>dV 'ˑ��٥I)00<c B`�!b(*|V�j8Z�Gyߨԕ5X
>
>�c"du4\UaV,tn} |�"^Qiv�M�EnY
>
>just a lot of entries like this (about 1000 requests a seccond) from a
>different set of changing IPs - all spoofed I presume.
>
>
>and in error log:
>
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] request
>failed: erroneous characters after protocol string:
>2\xcb\xf6\x02\xe6\x10E\xfc\x83\xdb>Bar
>\xe4\xdd\x14?\xba\x06\xdcW]\x99\xe9 w0\
>xbc\" =\xb6\xe1\xcb9\x1e\xd2\xbfMT\x18o\xf5t\x
b3\xed\xcc;\xbc\xffR\xbbIr\xecR\x91\xb0,
\xdcQ\x95S(n\x7f\x14\xa9\xdb\xa4\x9bn\xb
d\xa9\xceT\xcdp\xd3{\xfe1\xd2\xf6a\xcc\xfc\xc7E]\xcc
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
>in request ·|_øòMG1°·4s
>
>
> «yS%:LC^O^U@7]~SW0«SCXj¤ó)ذl
^_>j½0^FqNj_^z^L^O¸/
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] request
>failed: erroneous characters after protocol string: \xd1QL\x16\xf6L\\
>h\x85F\xeb\xb1\xed\x80\"\x9e\xb0\xdeZC\x1f\xb5\xa2?\xedA[A\x
>9fDJ\xcb>\xf0\xeb6O\x07\b\xf7\x05A\x8b
>\xb4\xee\x91*\x89\xdc\xbf\xf1y{\xd9
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
>in request . ^DT!ñd^GV]z^Ul^TúL^U_¦òcZ^R$
>l^\N#vY®N¹%%æP^Um
>Gb¡^P \.²^X^Y\_"¥/it~O±^C«^ôL^X´çH3
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
>method in request \xd7\xe5\xceH\xe7\xd6\xd3\xe92\xa6\x8c\x
8a53k\x9f\x1f8Md\xces
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid URI
>in request j¿1^T^E^^C\¤¿^Z½»ZSVóPû^W^\
ñµ!U^_¿ò& #123;³r6ESC5'½\K£èY¯3*´^Ktï
ESC
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
>method in request \xe9\xec\x1f\xc2T\x9b\x81\x8eW\x9a\xa7\x
f0\xf7\xaf\xd2t\x9ee\xee\xa6\xb5T\xc4zt\
xa2q\xeb\xf9\xca\x17\xe3\x98\x9c
>\xd2& #91;s\x86\xee\xc3J\x11W\xa4\x94\xaeP\x84
\xce\xb3h
>[Thu May 27 00:00:20 2004] [error] [client 202.88.234.163] Invalid
>method in request =\xbc4\"\xcb\" \x16\x83\xd2\xd2\xfa:\xbf\x15U\xfcE`\x1b
\xf8\xa5\x83'\xaf-$\xdd\x06\xfel\x0e\x99\x13
>
>
>Any ideas?
looks like more variants of the WebDAV worm. as long as you're not running IIS
you aught to be fine.
peace,
cj
--
========================================
=======================================
Christopher Jon Miller Drink and dance and laugh and lie
Parallel Systems Engineer Love, the reeling midnight through
For tomorrow we shall die!
(But, alas, we never do.)
-- Dorothy Parker, "The Flaw in Paganism"
========================================
=======================================
|
|
|
|
|