Web Application Security
Apache Killer - take 2? Jan 19 2012 07:59PM
Damiano Bolzoni (damiano bolzoni utwente nl) (1 replies)
Hi all,
today we saw a weird HTTP header in a request that came to a web server
we are monitoring:

HEAD /contact HTTP/1.1
Content-Range: bytes 1-1024/-1
User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
Host: www.xyz.nl
Accept: */*

The offending IP is not in any blacklist, and the intent is kind of
clear...the server is Apache, but I have no detailed information about
the version/patching level. The server went ahead with a simple redirect
to the default error page.

Is this just a clumsy way to attempt an overflow of one of the range
boundaries and replicate the infamous Apache Killer attack?


Dr. Damiano Bolzoni

damiano.bolzoni (at) utwente (dot) nl [email concealed]
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: damiano.bolzoni (at) utwente (dot) nl [email concealed]

Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4893744
Mobile +31 629 008724
ZILVERLING building, room 3015

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]
Re: Apache Killer - take 2? Jan 23 2012 01:40PM
Anestis Bechtsoudis (bechtsoudis a gmail com)


Privacy Statement
Copyright 2010, SecurityFocus