[Dshield] Help identify apache log entry

John Hardin johnh at aproposretail.com
Wed Mar 26 21:43:45 GMT 2003


On Wed, 2003-03-26 at 11:22, Eric Hines wrote:
> Apache log entries for the rs_iis.c exploit posted to Bugtraq will show
> up in your Apache log files as followed. Remember, these exploits can
> easily be modified so be careful what sort of signatures you write.
> 
> 
> $ cat /usr/local/apache/logs/access_log
> 
> 192.168.0.2 - - [25/Mar/2003:20:29:53 -0600] "SEARCH
> /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
> 04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
> H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
> \x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x

...so the RE i posted earlier *should* work. You may want to add more
WebDAV keywords.

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
> Behalf Of John Hardin
> 
> I just ran across this in my apache logs:
> 
> 66.83.13.9 - - [25/Mar/2003:13:19:02 -0800] "GET
> /stream?m=xhIrB2Wg0Sm0f3000000000000000000000000001aqaB4f at F0dF0cgb000000
> 00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBo4JEj43080mKsOZBuCZBnCZBvqICv8
> ZBnO3EkKZBo43DwW3Ci0ILLb4HzCaDm8ZDpKJDoapCtG3C4P3EoO4CsOpDv83DuCpC39JHj4
> JEouICsWZBruYCnGZEu03 HTTP/1.1" 404 295

Are you implying this is related?

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 57 days until The Matrix Reloaded



More information about the list mailing list