Re: Another exploit against apache or kernel

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, May 10, 2005 11:57:40 PM +0200 Adrian Senn <adrian () senn ch> 
wrote:
> Since some weeks we have an intruder which is exploiting us and poisoning
> us
> with the Virus Unix/RST.A
> I found now how it happens at it isn't clear to me what he is doing.
>
> I found in the apache log file some interesting strings.
>
> Repeating entries as this
> ip-hide - - [10/May/2005:19:58:00 +0200]
> "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"
Have you not heard of mod_security?
SecFilterSelective THE_REQUEST "ip-hide" would stop this attack cold.

So would:
SecFilterSelective THE_REQUEST "\.\."

<http://www.modsecurity.org/>

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/