Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Another exploit against apache or kernel
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 10 May 2005 17:04:41 -0500

--On Tuesday, May 10, 2005 11:57:40 PM +0200 Adrian Senn <adrian () senn ch> wrote:

Since some weeks we have an intruder which is exploiting us and poisoning
with the Virus Unix/RST.A
I found now how it happens at it isn't clear to me what he is doing.

I found in the apache log file some interesting strings.

Repeating entries as this
ip-hide - - [10/May/2005:19:58:00 +0200]
"\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"

Have you not heard of mod_security?
SecFilterSelective THE_REQUEST "ip-hide" would stop this attack cold.

So would:
SecFilterSelective THE_REQUEST "\.\."


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]