Security question, strange packet in apache request

INFINYT9 · 04-01-2004, 08:58 PM

Hi...

Im not a linux newbie really. I've been running Gentoo for a while, and Im pretty confy in Linux.

I run a apache 2 server (up to date all the time)
and I was checking the logs and saw something weird, since theres alot of knowledgeable people around here, I though maybe someone knew what this was. Careful, the request is pretty long...

---------------------------------------------------------------------
... yeah well, the query is too long, so briefly... here the interesting part:
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90cc-lib/i686-pc-linux-gnu/3.3.2/../../../../i686-pc-linux-gnu/bin/as -Qy -o format_mp3.o -\nroot 1318 0.0 2.4 27292 9416 ? S
Mar31 0:00 /usr/sbin/apache2 -k start\napache 1369 0.0 2.5 27424 9864 ? S
Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1370 0.0 2.7 27940 10656 ? S
Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1371 0.0 2.7 27928 10672 ? S
Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 1372 0.0 2.7 27856 10408 ? S
Mar31 0:00 \\_ /usr/sbin/apache2 -k start\napache 1373 0.0 2.7 27920 10660 ? S
Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 18646 0.0 2.5 27420 9852 ? S
Mar31 0:01 \\_ /usr/sbin/apache2 -k start\napache 27111 0.0 2.7 27780 10444 ? S
07:27 0:03 \\_ /usr/sbin/apache2 -k start\napache 6027 0.0 2.5 27420 9852 ? S
12:03 0:00 \\_ /usr/sbin/apache2 -k start\napache 12795 0.0 2.5 27428 9860 ? S
12:03 0:00 \\_ /usr/sbin/apache2 -k start\napache 17582 0.0 0.2 2440 828 ? R
18:26 0:00 | \\_ ps -auxf --cols=250\napache 22914 0.0 2.6 27552 10096 ? S
12:03 0:00 \\_ /usr/sbin/apache2 -k start\nnobody 1374 0.0 0.1 1780 728 ? S
Mar31 0:00 /usr/sbin/noip2 -c /etc/no-ip2.conf\nnobody 1407 0.0 2.5 57084 9752 ? S
Mar31 0:00 /usr/bin/ntop -d -L -q\nnobody 1498 0.0 2.5 57084 9752 ? S
Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1499 0.0 2.5 57084 9752 ? S
Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1501 0.1 2.5 57084 9752 ? R
Mar31 1:28 \\_ /usr/bin/ntop -d -L -q\nnobody 1503 0.0 2.5 57084 9752 ? S
Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1508 0.0 2.5 57084 9752 ? S
Mar31 0:00 \\_ /usr/bin/ntop -d -L -q\nnobody 1509 0.0 2.5 57084 9752 ? S
Mar31 0:27 \\_ /usr/bin/ntop -d -L -q\nroot 1472 0.0 0.4 5136 1624 ? S
Mar31 0:00 /usr/sbin/smbd\nroot 1474 0.0 0.2 3892 1076 ? S Mar31 0:00 /usr/sbin/nmbd\nroot 1516 98.8 3.8 16872 14724 ? RN
Mar31 1129:41 /opt/setiathome/setiathome -nice 19\nroot 1517 98.7 4.1 17900 15820 ? RN
Mar31 1129:02 /opt/setiathome/setiathome -nice 19\nroot 1541 0.0 0.1 1656 632 ? S
Mar31 0:00 /usr/sbin/cron\nroot 1574 0.0 0.1 1960 456 ? S Mar31 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf\nroot 1585 0.0 0.1 1508 564 vc/1 S
Mar31 0:00 /sbin/agetty 38400 tty1 linux\nroot 1586 0.0 0.1 1508 564 vc/2 S
Mar31 0:00 /sbin/agetty 38400 tty2 linux\nroot 1587 0.0 0.1 1508 564 vc/3 S
Mar31 0:00 /sbin/agetty 38400 tty3 linux\nroot 1588 0.0 0.1 1508 564 vc/4 S
Mar31 0:00 /sbin/agetty 38400 tty4 linux\nroot 1589 0.0 0.1 1508 564 vc/5 S
Mar31 0:00 /sbin/agetty 38400 tty5 linux\nroot 1590 0.0 0.1 1508 564 vc/6 S
Mar31 0:00 /sbin/agetty 38400 tty6 linux\n</pre>\n\n\n" 414 250 "-" "-"
66.214.34.223 - -

heres the real thing:
-----------------------------------------------------

So what I see is this: A bunch of compiled mahcine code of some sort, probably to exploit a buffer overflow or something, and then, execution of a command, and the weirdess, the output of what seems to be an accurate ps... So Im wondering wtf?!?!

Can anyone?

PS: Sorry if this doesnt belong here, I didnt really know where to ask

320mb · 04-01-2004, 11:12 PM

Quote:

In the Intel architecture the NOP instruction is one byte long
and it translates to 0x90 in machine code.

This is a quote from smashing the stack for fun and profit.........LOL
looks like someone was trying for a buffer overflow!!

unSpawn · 04-02-2004, 01:13 AM

320's right on that one.
Are you running Icecast? If so, is it an older version?

INFINYT9 · 04-02-2004, 08:57 AM

hmmm, interesting.

I was testing out with outcast (icecastv2) but :
1) I was having probs with the config, it didnt start, so it wasnt started,
2) Its the latest version ( gotta love gentoo).

So basically, you guys are saying that someone was smashing the stack. (what I thought too)

But would this be an apache vuln?

ps:Thank you very much for your answers

320mb · 04-02-2004, 10:41 AM

http://www.slackware.com/security/vi...ecurity.559833

this is the apache security update from last year!! more than likely they were checking to see if You had updated it.........

INFINYT9 · 04-02-2004, 10:43 AM

Thank you very much

I checked my worries with netcat, I piped the query to my server, and it responded with a URL too long message

Thanks for your help guyz!