Johannes B. Ullrich
jullrich at euclidian.com
Mon Nov 19 14:03:36 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
This is a 'semi common' way to cover tracks in web access logs.
Usually, apache logs include the user agent as last field of the line.
Adding 'weird' characters in this spot, can cause a line to be hidden if
looked at it with simple programs like 'cat'.
Also, web analysis programs that do not check for these characters, can
spit out weird reports.
Apache states in its documentation, that it does not any conversions of
these characters. Instead, they are just added to the web log 'as is' and
it is up to the web analysis program to deal with these characters.
> I receive this on http server:
> GET / HTTP/1.1
> User-Agent: %B8%F8%0B%08 <-- binary in log!!
> Host: xxx.it
> Pragma: no-cache
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list