On Wednesday 21 July 2004 05:23, John Morrison wrote: >Hi, >Looking at the root user mail I noticed the following appears > frequently in the logfiles: > > --------------------- httpd Begin ------------------------ > >A total of 2 sites probed the server > 81.51.104.14 > 81.10.211.182 > >A total of 2 unidentified 'other' records logged > GET /sumthin HTTP/1.0 with response code(s) 404 > SEARCH >/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >1\x02\xb1\x02\xb1\x02\xb1\x > >The 'SEARCH' line goes on and on for pages (only shown a portion of > it for brevity). I have never seen this before and would like to > know what is happening and should i block the sites that the probe > comes from. The web server is only for my personal development. > >Cheers, > >John >-- Someone is trying a known to work buffer overflow attack on your machine. I'd highly recommend getting both tcpwrapper and iptables going, possibly even with portsentry do an automatic rule installation on the detection of a scan. I'd also get, install and run the latest 'chkrootkit'. Its designed to recognize the signatures of most of the rootkits extant. As always, google is your friend. -- Cheers, Gene There are 4 boxes to be used in defense of liberty. Soap, ballot, jury, and ammo. Please use in that order, starting now. -Ed Howdershelt, Author Additions to this message made by Gene Heskett are Copyright 2004, Maurice E. Heskett, all rights reserved.
