Security question, strange packet in apache request
Hi...
Im not a linux newbie really. I've been running Gentoo for a while, and Im pretty confy in Linux. I run a apache 2 server (up to date all the time) and I was checking the logs and saw something weird, since theres alot of knowledgeable people around here, I though maybe someone knew what this was. Careful, the request is pretty long... --------------------------------------------------------------------- ... yeah well, the query is too long, so briefly... here the interesting part: 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90cc-lib/i686-pc-linux-gnu/3.3.2/../../../../i686-pc-linux-gnu/bin/as -Qy -o format_mp3.o -\nroot 1318 0.0 2.4 27292 9416 ? S Mar31 0:00 /usr/sbin/apache2 -k start\napache 1369 0.0 2.5 27424 9864 ? S Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1370 0.0 2.7 27940 10656 ? S Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1371 0.0 2.7 27928 10672 ? S Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 1372 0.0 2.7 27856 10408 ? S Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1373 0.0 2.7 27920 10660 ? S Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 18646 0.0 2.5 27420 9852 ? S Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 27111 0.0 2.7 27780 10444 ? S 07:27 0:03 \\_ /usr/sbin/apache2 -k start\napache 6027 0.0 2.5 27420 9852 ? S 12:03 0:00 \\_ /usr/sbin/apache2 -k start\napache 12795 0.0 2.5 27428 9860 ? S 12:03 0:00 \\_ /usr/sbin/apache2 -k start\napache 17582 0.0 0.2 2440 828 ? R 18:26 0:00 | \\_ ps -auxf --cols=250\napache 22914 0.0 2.6 27552 10096 ? S 12:03 0:00 \\_ /usr/sbin/apache2 -k start\nnobody 1374 0.0 0.1 1780 728 ? S Mar31 0:00 /usr/sbin/noip2 -c /etc/no-ip2.conf\nnobody 1407 0.0 2.5 57084 9752 ? S Mar31 0:00 /usr/bin/ntop -d -L -q\nnobody 1498 0.0 2.5 57084 9752 ? S Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1499 0.0 2.5 57084 9752 ? S Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1501 0.1 2.5 57084 9752 ? R Mar31 1:28 \\_ /usr/bin/ntop -d -L -q\nnobody 1503 0.0 2.5 57084 9752 ? S Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1508 0.0 2.5 57084 9752 ? S Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1509 0.0 2.5 57084 9752 ? S Mar31 0:27 \\_ /usr/bin/ntop -d -L -q\nroot 1472 0.0 0.4 5136 1624 ? S Mar31 0:00 /usr/sbin/smbd\nroot 1474 0.0 0.2 3892 1076 ? S Mar31 0:00 /usr/sbin/nmbd\nroot 1516 98.8 3.8 16872 14724 ? RN Mar31 1129:41 /opt/setiathome/setiathome -nice 19\nroot 1517 98.7 4.1 17900 15820 ? RN Mar31 1129:02 /opt/setiathome/setiathome -nice 19\nroot 1541 0.0 0.1 1656 632 ? S Mar31 0:00 /usr/sbin/cron\nroot 1574 0.0 0.1 1960 456 ? S Mar31 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf\nroot 1585 0.0 0.1 1508 564 vc/1 S Mar31 0:00 /sbin/agetty 38400 tty1 linux\nroot 1586 0.0 0.1 1508 564 vc/2 S Mar31 0:00 /sbin/agetty 38400 tty2 linux\nroot 1587 0.0 0.1 1508 564 vc/3 S Mar31 0:00 /sbin/agetty 38400 tty3 linux\nroot 1588 0.0 0.1 1508 564 vc/4 S Mar31 0:00 /sbin/agetty 38400 tty4 linux\nroot 1589 0.0 0.1 1508 564 vc/5 S Mar31 0:00 /sbin/agetty 38400 tty5 linux\nroot 1590 0.0 0.1 1508 564 vc/6 S Mar31 0:00 /sbin/agetty 38400 tty6 linux\n</pre>\n\n\n" 414 250 "-" "-" 66.214.34.223 - - heres the real thing: ----------------------------------------------------- So what I see is this: A bunch of compiled mahcine code of some sort, probably to exploit a buffer overflow or something, and then, execution of a command, and the weirdess, the output of what seems to be an accurate ps... So Im wondering wtf?!?! Can anyone? PS: Sorry if this doesnt belong here, I didnt really know where to ask :) |
Quote:
looks like someone was trying for a buffer overflow!! |
320's right on that one.
Are you running Icecast? If so, is it an older version? |
hmmm, interesting.
I was testing out with outcast (icecastv2) but : 1) I was having probs with the config, it didnt start, so it wasnt started, 2) Its the latest version ( gotta love gentoo). So basically, you guys are saying that someone was smashing the stack. (what I thought too) But would this be an apache vuln? ps:Thank you very much for your answers :) |
http://www.slackware.com/security/vi...ecurity.559833
this is the apache security update from last year!! more than likely they were checking to see if You had updated it......... |
Thank you very much :)
I checked my worries with netcat, I piped the query to my server, and it responded with a URL too long message :) Thanks for your help guyz! :) |
All times are GMT -5. The time now is 09:06 PM. |