LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page LogWatch: "possible successful probes"?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-19-2009, 11:41 AM   #1
Quip11
LQ Newbie
 
Registered: Aug 2004
Location: Colorado, USA
Distribution: Fedora 15
Posts: 8

Rep: Reputation: 1
Question LogWatch: "possible successful probes"?

I saw this in my log this morning:
A total of 1 sites probed the server
adsl-76-197-246-151.dsl.chcgil.sbcglobal.net
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200
In my access_log, the corresponding line was
adsl-76-197-246-151.dsl.chcgil.sbcglobal.net - - [18/Jul/2009:09:55:00 -0600] "\x13\xc6\xc85!\xfd\x1aI\x95\xac\x1b\xf2k\xa2u\x1c:X\x9b" 200 4094 "-" "-"
Just as Capt_Caveman suggested, 4094 is the length of my index.html file. But what's with the hex codes from Chicago?

-Q


// Welcome back after five years ;-p Your post was pruned from a vintage 2005 thread because necroposting, e.g, the practice of responding to a thread that died out long ago, should be avoided. It is best practice to create your own thread and if necessary add a reference to the original.
Last edited by unSpawn; 07-19-2009 at 12:38 PM. Reason: //prune 'n graft note.
 
Old 07-20-2009, 04:39 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Quip11
In my access_log, the corresponding line was
adsl-76-197-246-151.dsl.chcgil.sbcglobal.net - - [18/Jul/2009:09:55:00 -0600] "\x13\xc6\xc85!\xfd\x1aI\x95\xac\x1b\xf2k\xa2u\x1c:X\x9b" 200 4094 "-" "-"
Just as Capt_Caveman suggested, 4094 is the length of my index.html file. But what's with the hex codes from Chicago?
My WAG here is someone is relying on an exploit that tricks a web server into accepting a (normally bad) request in hex.

A quick google for "web server hex attack" seemed to return a few relevant possibilities (which I didn't look at it in detail).
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logwatch error message "lease broken" related to Samba?? icammy Linux - Server 1 04-19-2007 02:14 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 10:23 PM
"Successful install" results in "Boot device not found" slackr007 Fedora 2 06-21-2005 04:05 PM
"Successful install" results in "Boot device not found" slackr007 Linux - Newbie 2 05-31-2005 08:02 PM
How to stop the redhat sending me e-mail called "LogWatch" automatically? chuanweizuo Red Hat 2 03-08-2005 09:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:38 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration