[Dshield] Info

Johannes B. Ullrich jullrich at euclidian.com
Mon Nov 19 14:03:36 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is a 'semi common' way to cover tracks in web access logs.
Usually, apache logs include the user agent as last field of the line. 
Adding 'weird' characters in this spot, can cause a line to be hidden if 
looked at it with simple programs like 'cat'.

Also, web analysis programs that do not check for these characters, can 
spit out weird reports. 

Apache states in its documentation, that it does not any conversions of 
these characters. Instead, they are just added to the web log 'as is' and 
it is up to the web analysis program to deal with these characters.


> I receive this on http server:
> 
> GET / HTTP/1.1
> User-Agent: %B8%F8%0B%08  <-- binary in log!!
> Host: xxx.it
> Pragma: no-cache
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7+RE6VOIizK5pIDMRApAxAKDQSpzHU2b+qjJ2F83njvN7ggeLgQCglSWl
hTfv6UY7S03lUi+0LWHjVKw=
=nAMh
-----END PGP SIGNATURE-----




More information about the list mailing list