mailing list archives
Re: Another exploit against apache or kernel
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 10 May 2005 17:04:41 -0500
--On Tuesday, May 10, 2005 11:57:40 PM +0200 Adrian Senn <adrian () senn ch>
Since some weeks we have an intruder which is exploiting us and poisoning
with the Virus Unix/RST.A
I found now how it happens at it isn't clear to me what he is doing.
I found in the apache log file some interesting strings.
Repeating entries as this
ip-hide - - [10/May/2005:19:58:00 +0200]
"\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"
Have you not heard of mod_security?
SecFilterSelective THE_REQUEST "ip-hide" would stop this attack cold.
SecFilterSelective THE_REQUEST "\.\."
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/