Wierd stuff in apache logs

flashingcurser · 04-11-2007, 04:42 PM

Does anyone know what exploit this is and what I should be double and triple checking?

Code:

24.93.165.34 - - [11/Apr/2007:14:19:13 -0600] "\xdf\x9bD\xf1\xe9\xf2\x95\xb5\x9a\xe2\x06\xc0\x1b6\xc4\xe3\x11\xd7" 302 416 "-" "-"
58.105.48.94 - - [11/Apr/2007:14:49:18 -0600] "\x13mqX\xf5\xd0\xf4\xbd8\xde\xf9\xabakf\xf0\xe8\xbe\xa50\xc1D\xe0.!\xf9\xf95\x07\xcf{I\xcd:\x8d\xaa\xb6J?\xc1DH\x96\xc8\xed4\xf7\x7fa~\xf0\x07\x18\xe3\"\xbcJo\xe8h\xe1\x0c" 302 416 "-" "-"
58.9.76.65 - - [11/Apr/2007:14:32:23 -0600] "a\x81\x1a\xe1\xe4\x9f\x11\xe2e\x06XJ\x16'\x1e\xca\xde^\xed\xe7N\xfd\x82\b\xf8\x96s\xdd\x9dz\x9dt\xe5E#\xb1\x89\xe7\xbe\xb3\x8b\xbcm\x9d\b~\xcb\xf8`\xf2iy\xfb*v\xfa?$=\xaf\x19%\xb1(tf\xfe++=\"\xbf\xbe\xf4\xecw\xa9\x8e\x04F\x82\x90\xea\xb3X\rO\xc1k`\x02\xa7\xf7\x85\x9e\xd6\xd3G\xed\xb4*:\x0fiQ\xaa\xa4\x17\xb5\x0f\x96/\x0eh\xc3\x06Hi-\x03z\xf9*L\x99f\x07\xc3\xee!s\xdd\xbe\xa7\x8c\x1c\vl\xaf\x9b" 400 405 "-" "-"
63.252.84.178 - - [11/Apr/2007:14:26:38 -0600] "$\x94\x15:\x91\xc5\xbaC\xbc\xc9\x88 \xd6L\xcdC\xf2\x0c55\xbd \x9c\xb3\x1c\xf36\x1b\x88\x8a\xc9\xf47?\x8c\xc9\x87\xf8\x14{\xad\xaaR~q3!\x10?M\xc6\x06HD\xa41w\xdd\x19\xaa\x9a\xbf\x9a\xe7\x1f" 400 405 "-" "-"
63.252.84.178 - - [11/Apr/2007:14:33:08 -0600] "\xfeql\xe4\xe3\r\x13K@\x9a\x04A\xf4\x91\xc3\xac\x15;\x87~\x98\x8dI\x89\x16\r\r78o8\x0fN\x86\xb8[\xb9\x17\xca\xb4\\\xeb\x10\xe6K\xbeP\xd1tx\x03@\x9f\xa2J\xa3\xc6\xfe;\xe4a\xfa4v[\xb7\x1e:M\xed\xe0\xa9\xc4\xcek" 400 405 "-" "-"
64.180.27.153 - - [11/Apr/2007:14:12:50 -0600] "\xe60R!\xbcJ\xba\xca\xd6\xf8\xee\x87\xd6O\xc0\x0fV\xd8e\xb6 \x07\x1a\x91\xab\xd5\x97\x89\x04&\xd8\xaf\x17\xf1p" 400 1061 "-" "-"

This debian server is kept up to date and has many layers of security. So I'm not too worried about it. The "\xbcJ\xba\xca\xd6\xf8\xee\x87\xd6O\xc0\x0fV\xd8e\xb6" stuff keeps spamming my logs and it is getting annoying.

MS3FGX · 04-11-2007, 08:40 PM

Looks like buffer overflow attempts that you get from the legions of script kiddies and bots on the Internet.

Though actually those are considerably smaller than the buffer overflows I usually see in my own logs.

Capt_Caveman · 04-12-2007, 12:09 AM

The key thing to look at is the http response code. In most cases a successfull compromise will result in a 200 (successful) status code. In a failed attempt you usually see a 3** or 4** (failed) statues depending on the what they are trying to do with the malicious URL. In this case they are all unsuccessful status codes.

If it concerns you that bad, you can use something like mod_security to filter common hex shellcode like that.

flashingcurser · 04-12-2007, 09:38 AM

Thanks I will do that in mod_security. It doesn't really bother me, it's just that I have to look through a lot of that stuff when I'm browsing my log files. And in the past I have only seen this once in a great while, now my log files are chalk full of it.

If it's just general script-kiddy'ing and not specific, than I'll just filter it and be done with it.

thanks

dan