From owner-freebsd-questions Sat Aug 4 10:17:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 71E2837B401 for ; Sat, 4 Aug 2001 10:17:56 -0700 (PDT) (envelope-from jdl@jdl.com) Received: from localhost ([127.0.0.1] helo=jdl.com) by jdl.com with esmtp (Exim 3.32 #1) id 15T58n-000Ayh-00 for questions@freebsd.org; Sat, 04 Aug 2001 12:23:09 -0500 To: questions@freebsd.org Subject: Attempted Buffer Overrun in via httpd? Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Sat, 04 Aug 2001 12:23:08 -0500 From: Jon Loeliger Message-Id: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Folks, I see a large number of httpd requests that look like this: 211.41.175.10 - - [03/Aug/2001:23:49:55 -0500] "GET /default.ida?NNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= a HTTP/1.0" 400 316 "-" "-" in my httpd access logs. This just smells like an attemtped buffer over run exploit at work. Anyone recognize it and know anything about it? Should I be worried? I'm running a current (right out of Ports) Apache here. Thanks, jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message