Re: Router Worm?Nov 19 2003 10:38PM Jay D. Dyson (jdyson treachery net) (1 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 19 Nov 2003, Chris Strom wrote:
> I've received a strange HTTP request on my web site from two different
> sources. The request is logged as:
>
> SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2
<snip of 32K attack signature>
I've seen much the same here on all of my web servers. I have in
excess of one megabyte of these attack signatures in my logs. Some of
them are one-time attacks; others are "burst" attacks and come one after
another for several minutes.
Haven't bothered looking into what the culprit is yet, but am
interested to learn what's at the heart of this log-bloater. In the
meantime, I'm blocking the offending IP addresses that spew this junk.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | = |-'
`--' `--' `--- Next time let's screw it up my way first ---' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
Hash: SHA1
On Wed, 19 Nov 2003, Chris Strom wrote:
> I've received a strange HTTP request on my web site from two different
> sources. The request is logged as:
>
> SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2
<snip of 32K attack signature>
I've seen much the same here on all of my web servers. I have in
excess of one megabyte of these attack signatures in my logs. Some of
them are one-time attacks; others are "burst" attacks and come one after
another for several minutes.
Haven't bothered looking into what the culprit is yet, but am
interested to learn what's at the heart of this log-bloater. In the
meantime, I'm blocking the offending IP addresses that spew this junk.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | = |-'
`--' `--' `--- Next time let's screw it up my way first ---' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQE/u/DoxdMhRVezQfcRAm7fAJ99WWsLh4ScPJduM/V95XaFNgwO8gCghnXL
8hr1V4xAd6yXQ+yyyS+qg4c=
=w9ru
-----END PGP SIGNATURE-----
[ reply ]