Forum Moderators: phranque
After the ip and timestamp of the apache log-line, there was a request starting with
SEARCH /\x90
followed by a very long sequence of
x04H\x04H\x04H\x04H\x04H...
followed by a very long sequence of
\x90\x90\x90\x90\x90\x90\x90\x90...
until finally the apache server gave a 414 error response code. Sounds like an attempt to force some sort of buffer-overflow or so, which my server seems to have handled properly.
But I also found some lines obviously incomplete and cut, which maybe indicates someone may indeed have HAD access to my webserver, deleting his traces in the logfiles?
I found the whole thing quite fascinating and would like to learn more about it. Is there any flag-worthy thread on these things here in webmasterworld? Any other general resources on the internet? What are the most common traces in my logfiles which might indicate someone is constantly trying to get access to my server?
Any URL for further studies is well appreciated. Thx in advance.
I would check all of the files in your site and see if any of the dates have changed on files you know you haven't touched.
If it's a dedicated server, downloading and installing a root kit checker wouldn't hurt.
