Does anyone recognise this pattern?

Forum Moderators: phranque

Message Too Old, No Replies

Does anyone recognise this pattern?

not sure if this is a search box flood

jackson

3:43 pm on Mar 24, 2004 (gmt 0)

Checking through my logs just recently picked up this item:

s7a-4thstn-stpete-237.ij.net - - [21/Mar/2004:23:12:58 -0600] "SEARCH /\x90\x02\xb1\x02\xb1\x02\ .... \x90\x90" 414 271 "-" "-"

The space in between is filled with that "repeating" pattern "\x90\", etc. And this to the extent of 32,820 bytes.

Have been hit by this item twice in the last few days. Doesn't seem to have affected my site though.

I know that x90, etc. is hexidecimal for something - not sure what at this stage.

The question here is, is this something I should worry about and, if so, what to do about it?

icpix

4:44 pm on Mar 24, 2004 (gmt 0)

That flavour of entry appears in my logs too.
I've always assumed them to be malicious buffer-overflow attempts, presumably aimed at non-Apache webservers.

best wishes, Robert

bufferzone

4:51 pm on Mar 24, 2004 (gmt 0)

It is a IMAPD remote overflod. If you don't run a mailserver you don'r need to worry, If you do' follow the link and learn

[insecure.org...]

bufferzone

5:15 pm on Mar 24, 2004 (gmt 0)

It could also be an attempt to try a buffer overflow in a popular CGI web counter, Count.cgi (wwwcount).

[attrition.org...]

jackson

3:01 am on Mar 25, 2004 (gmt 0)

Thanks all. Really appreciate the quick response and follow-up. Thought this was sort of "unfriendly". Guess this sort of stuff comes with the "territory" these days ...