PHWinfo banniere

Titres
PORTAIL ANNUAIRE ARTICLES COMPARATEUR HÉBERGEURS DEVIS FORUMS RÉDUCTEUR D'URL
Précédent   PHWinfo > Forums Hébergement > Forum Hébergement serveur > comp.info.servers.unix > Is my server being cracked?
 
S'inscrire FAQ Membres Recherche Messages du jour Marquer les forums comme lus
 
comp.info.servers.unix Web servers for UNIX platforms.

Is my server being cracked?

Réponse
 
LinkBack Outils de la discussion
Vieux 12/05/2006, 11h05   #1
antonino
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Is my server being cracked?
hi
I've found a lot of these entries into my apache log, that is in the
combined format. I don't understand why the server responds with a 200 to
this request. Anyone knows which type of attack is?

Debian Sarge Apache 2.0.52
Thany you a lot
Antonino Mastronardi

aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
"PBQLMLVADVFKAXNOGUMLBAYFCIFVCLASXDKHMUNHDXHJUKSAD JFDBBUERRBNYILXMQOCIODFKOJVWIALSSFFJVVPYHLKoPILQLV DIBzDCUMLEQVVARAPOEXKIPNMDJUJEWOEEBVYYBBUGIYIQPMQA iTMQFGGPBYSJHYWAVFBUXLSKDJLIQMDHLJIAUQWPGNLCXPSBQE PBGVOHTYSQOOGTGlLQLGMCDKUEUUIFCAVXNQSFYDMFJTTLYYCR JACETVWSJCXLCNKEVLEVTILSEAOEECDOJNRMCGQXYBVENVLXAE YKKXCBYQMRTIDlQVQEHWPONVWWIRUXUGVGBCSPFXFKOKPEYDNM GXPOVLKTQDCSXHVWGPHTDQCMUNTSVFASPRKXTADFODVCTRAMQL FUTXYMDEGPLAUNGTOMQOPAECIJGTUaEBMGB/LAESECUYQJNBTUAHSRIVYDDDIGXLYDQCLDDYHONKKVECHXDDJQ KENOUTEXSHDB4.CIXEKJQFXAGUHRXMTODOGHCLQOGUY0VUREXC XKAIMMAJIETIOJFQMDXOAVCHFUIYGMTUOPWEHGVQWLHEJVPVUQ JRYBIVTBCMQULMFRRERKYGMXPGSBMWJWXTKNMRXFKIQKCUWNRR QQBGVTUIMSYIQRDHFFPRJYUXYKXJHELLUHRKIQVBHVXJ
GAJBLUYLLJMAICIDLXAQOYTCQNOOERVNHLRXBTWVRFF(cWJRHM ITSSPYCCSHDMVSLOJWHHSSJQYKKKNAVOFJEESQHULLXXGXPVMQ IMKIHLCQRCXAUHDCEKJIEHLPBAVAXMJKMJWGOVERQRDNTLCSOC JQBMVQQDNTUQOLNoMPUDDVHRJJJBRODYAJDTUMVQRWJHWOmMNV ADTORCHWNPUVJKTYNEPTJETGTPBIIDURHEKULYMLNPJEEHPDVC CJRONJLEYUESIUDRQOKOUOMNDLOABWEEpCLELQTaNELYLYHKQK WTBNTTNYAPWLMQNJXBQMQJYHHQRSCYKMOYBJANJKHYKTFOYLKT IKLGIOMISHXQLTBEICWPHCYtQKMHBRXFWYIWCHLHRDIJLRUIPi JUWUYFOTJNANNSCGGWEVNAOQBPYNSXJEPCQOPECFWELWYABMFG UAODPONVTVbIMKLTHYINlRRWJUQWGCBWGKeVXYUUGYHD;SVLIH GXVJURBTKDUOYNOCBJICFWBUUHERSHWPLWITHMPBTWCWOWNQHU QRYAPAY
THXOJTFDERUULDYAFIMLXQJSWBKVOOVLTWYBGFNYGUHJECMYBU SGYFXYETCJGEGOULGYXJMVEIWQHGKBBPKPRYFKKNGPKMPRTBKC BAVSEECNFLSHRYDQKVBGLCKRPRWKMKSBTVBETRWWVFQKMTSREE SGNFFAVRCARMGRMELXNDKOWHXBLLMSYSFGGNNBXCPGGAYJGESV QEVGCLGGKRSMSUDPJOAHC
AYJGMYEYGYJHMEPBPRFREPBPNVWWT6DPIDVNABDOTFVYTAPYIV KDQCCJASKBDOWWHLSIJMP.QUWDNKVPYWTUTNJNASLKLNLYUBSX 0QYCCROTVLQ;XNPSOFCRVECOIPCVGWQAOJUOAVLMHRX
SFRKHURTJMTCQGTBMBXOGHIXLCFUKWLFTQVIBBHRTGFIWUNNTX XNWYiEXMPLIAJLWYOTKYYFYRTXDIODEOTAJJVGREHSTCRTVXUG VMXBXCDYGQOMFGTCXDGVPYXIHHNNDFFSYSTEXJHKCFSHPUJISA ARQMnBXOKXVCLMQVOBTMEYdDRVQRGEJKEYHPPAHBOCNCXQNADU FFMINWIVBRJWCTACKTIoHVODJNLSPWCOELDTLFWDVHWXRwBVKY WJPXUTCBXILJPUSFADYIHRFLUKTNWEGDXJVKQAVJVSKLOEAOTM XJBWOHKBTYYUXNsWYNKNNSOPGWWTUBBGDOHAJFKSKLDBE
ONHMKGLNBNOFDCBUJPNPBKRGWKSGYAYXFTCCHRSFAJJNFJTAGJ RVBVXCVVNTAGVXGMSECJBRFICGMUSXSRTTDXFGJOQYHNPHOTXW JFVGSSLETHLKSECTCGQFLQQFKRFILLUPEDXKAEERAQCKDOWTIK
YDFUFKPIWFEFSXWLLWY5TWYJRLMKBQCIFNBRFSVGFWCHFDNSPS SJGSMBNCRCMVETACBJEKHBWSHEWYOIE.TMVKPYGUSWKQLUOGVN TRC1BAHCIOCWXFBEXDLGPICUFTQEXVRGAANSEELNRKJPBNVFMM LLVYBBVVIOMNEHSCDPTQHGCIGRJHOKINBBHTODBI;XOAVQIVNU PTVGONDIVEUWIWTWGVGGXHXGCJLQNORTDGCEXQAJXTPTWGWSAB GODARBJAKRUVUFRTWOQCNATYDUKMYGWPFKKLKIBOUPYIKGATTM VHGYCMIJTGFQEVQTEJTDUKNQOBBCOKFVVVSLTDPLJMBNIYVIWD YOBDFULVLACW
FRGKOHVEVGEJTNNGUCGIHFXCYRWGHQDOSQGUEXDLAGPYPTTRMG UCECPWTVIIARJUVHERPDHIGQLPTDSSFODOTWBIWBYCGXQBAYLV HWGVILNRECGKNDWQYHGQRGHRHGMOHEGIVATPCAIH1OJYXG;PTE SQEKD
YTIEKOVBSBGSVYIAJCILMXVBYONYAHTHXCUDLFFU.JHSXJQUCX JXRDAXIXQOXGMGYOCGEHDJKIVYBABAUVVCSCKQWUFKECEUWHUQ KGTPXBLTFFVXPMYBNETTPQXHTSHRNXAQMLKRMUTBINAETPPSFE XPRTFEKAVEHMAPXPHLHISRYKBQJDOVKLVDGBEDYMTMXH
WUUKHKXUDHSONROYTJPPNWFXFTXTELRSJICNDLERRSPKUOVGAT VAEONLUCHGBOTFXSLXJBVTKGXRSALKYLDISVKYPVBCQBDBRCGA QXDXELLACLPAJNOEXMEFDDBGLUETQSJOLLVKPDYJPQNNWTVFYO HJLEDRKJRKNWMWVBGYWUJLFATJDBDWFCIGGESJFEFFLBIUIGIC SRFHWLGMYMCYARLRNWXIKYFGATJTOTJHXWTDGVTAORHPCXABSH MYGQ
NGTHGHPFFQKSNHSMPLEKAOWAUJGDTSIXIEDQJBQFSYIK1OXYJR FGDTTMDUYDXBMBDECTDFIBJKLBBSFQVVXNOMNWUXFHSRTJPPIB EOLOBTKTHBDFVBSNPNEORLU.OC1DEDWYXCDFOVHUVANQTXJCKJ SGCQKGBWFIQFMPNTDFXYAQJJDIVDUGJOEMIBVPGRNNNSUNH.U4 MDHBWDFTLPHHAKEQEGLJDUMEVAUF3TBGSEIBFHDVQPGL2VJCIT YESSHTNMRGALKTXEXCBVNYCWKYAKPWPQPFCPFNI2SXTASWNPPD HPAYJHOGTUP;FVGSIILADPCBCJBGGGTQNMQTTNRWCIFLAVUOM
FHJYBNYKMDIJQLAGETCDIYnCVTFLUXFITFNKDFSVQSDOEAFfYA XMHNIVDTXRWPJHASJJTHFKHTJDBARFLTCSYIVLVQOBXEUCRAOE BRoHPBLNSARBVHIBORSVHYPTUBTAWFSVDBLBBBLMFRJDUGISYF EKUDETBGARAWILUJBXYWLPMUOMYPPUTaQtJAHSRJPOUVFWMSDU QWNPJJEJERUMABEEVLGIRHYAUWLJRFUTIBGCBDJOSMKQKXPYNY TKNDXHCYVKVNCTBKJFTJIhFDQLVHDUJLRQAPCLPELDLSPBCYTD OY.EFOQGDTCORCOYBKEJQNRGHRPCETCDHGJAKW2IXNVMODVOWM WGQMVSCSWKDWFOKADUSWFBJIKEXGDBUFONEPJORHGGOSBMKIRK JNQLIIWRWUOIWLRBPIPXWXBEKIHTCFPAUVVWOIGURDLJUQWGTC QBBPSVFDVCTOJGRALSXDFQHFHIXMPCHVUPGUFFCDOMHYOF;HAK NROGNFIEARSXGUDEVIVIKNEPPPHEDHMPBKMDBJIROWNHBXXSHS KDLBGICESYGFMFWNPDDGUCEHGABFILPNU
XUATOPLLXKXBKBURENEEVVYL.WHYXEWPYCARYMDCERKGHTLLUJ RCFKUOSTMEOERUNNYDNXMQFXGSDNOJXCHLEQWLEBWMQOHNJVWR DPJQBLMMDQJEMTVVPCFTHAKEPHVKAICHUHNYAUUQISJEWRGGPX IYMIFQFWYPJPXTTQTXFPFQKYDHVHC
SKANYVBFMMCAVWDCGBTNLXECKHRRDIWGRNYORULWMEHRLKFJOI PQQTUBSVMMIFBCBBKWTFJFGOEYAAHJFOPVNGNMPHYRVIQQXTXH TSOVMYSQCXILCAHLSHKNWYJRVNAFJCRPSQANIUAHLFEHINVUBO YUNRWROKV
WHAOKGQPQG2OJUFSUVMRATNVDTSTEUQYOOJTSPDQGWMSTGUNPA IUSLPIJPMDPPOIICJCFORSERPDNJM.IHNKWOCG0JWMMWJIAC.V UKJWDCPVLILPDQONPFYHDWCGMAVMBWGWHEGJGAQCNEQGOOFLRI VVGLYHTIKIGCXNGEJOIVFRQJSBLGRBVRGCDJOLLRQBMYVHJPOG NTYUE5OIVADKVNJVGRDNOAKTEQMBESVCFVRLQUPLFRJURUKJIE STOITEPRXTETXKEXMQIPSVGXEGLKRQJUYLXCVTC0NBIHMKGLJO AQK72GNNWVSKYADTXIJKFMMLFRHCFKQMWHQVCNQKDMEWDIIMWR ADEQBTFWOCICDHJXUXN7GKDQTFSDYBLLSYLMDDIUWDGRXHSFAI QHVTWCNMMRGEMHYEXQQXGKSEDUBANCRTDFPTMDYESTQYHJWLQT QNLEGBUTOWS)"
  Réponse avec citation
Vieux 12/05/2006, 16h42   #2
I R A Darth Aggie
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Re: Is my server being cracked?
On Fri, 12 May 2006 12:05:58 +0200,
antonino <arche_nxosxpxaxm_design@libero.it>, in
<44645da3$0$14780$4fafbaef@reader4.news.tin.it> wrote:

>+ I've found a lot of these entries into my apache log, that is in the
>+ combined format. I don't understand why the server responds with a 200 to
>+ this request. Anyone knows which type of attack is?

>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
>+ "PBQLMLV >snip!<"

Looks an awful lot like someone is trying to cause a buffer overflow
in sms.php (or somewhere in your php stack). I don't know how robust
your sms.php script is, but it maybe just returning a "Dude, that was
like radically bad input, would you like to try again?"

Or it could be handing out the keys to your kingdom, if it isn't so
robust. Have you noticed problems with the machine in general?

If you're connected to the internet, you'll notice any number of
attacks against any number of services.

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
  Réponse avec citation
Vieux 12/05/2006, 16h42   #3
I R A Darth Aggie
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Re: Is my server being cracked?
On Fri, 12 May 2006 12:05:58 +0200,
antonino <arche_nxosxpxaxm_design@libero.it>, in
<44645da3$0$14780$4fafbaef@reader4.news.tin.it> wrote:

>+ I've found a lot of these entries into my apache log, that is in the
>+ combined format. I don't understand why the server responds with a 200 to
>+ this request. Anyone knows which type of attack is?

>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
>+ "PBQLMLV >snip!<"

Looks an awful lot like someone is trying to cause a buffer overflow
in sms.php (or somewhere in your php stack). I don't know how robust
your sms.php script is, but it maybe just returning a "Dude, that was
like radically bad input, would you like to try again?"

Or it could be handing out the keys to your kingdom, if it isn't so
robust. Have you noticed problems with the machine in general?

If you're connected to the internet, you'll notice any number of
attacks against any number of services.

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
  Réponse avec citation
Vieux 12/05/2006, 16h42   #4
I R A Darth Aggie
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Re: Is my server being cracked?
On Fri, 12 May 2006 12:05:58 +0200,
antonino <arche_nxosxpxaxm_design@libero.it>, in
<44645da3$0$14780$4fafbaef@reader4.news.tin.it> wrote:

>+ I've found a lot of these entries into my apache log, that is in the
>+ combined format. I don't understand why the server responds with a 200 to
>+ this request. Anyone knows which type of attack is?

>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
>+ "PBQLMLV >snip!<"

Looks an awful lot like someone is trying to cause a buffer overflow
in sms.php (or somewhere in your php stack). I don't know how robust
your sms.php script is, but it maybe just returning a "Dude, that was
like radically bad input, would you like to try again?"

Or it could be handing out the keys to your kingdom, if it isn't so
robust. Have you noticed problems with the machine in general?

If you're connected to the internet, you'll notice any number of
attacks against any number of services.

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
  Réponse avec citation
Vieux 14/05/2006, 11h22   #5
Roy Schestowitz
Aucun Avatar
 
Messages: n/a
Hébergeur:
Par défaut Re: Is my server being cracked?
__/ [ I R A Darth Aggie ] on Friday 12 May 2006 16:42 \__

> On Fri, 12 May 2006 12:05:58 +0200,
> antonino <arche_nxosxpxaxm_design@libero.it>, in
> <44645da3$0$14780$4fafbaef@reader4.news.tin.it> wrote:
>
>>+ I've found a lot of these entries into my apache log, that is in the
>>+ combined format. I don't understand why the server responds with a 200 to
>>+ this request. Anyone knows which type of attack is?
>
>>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
>>+ "PBQLMLV >snip!<"
>
> Looks an awful lot like someone is trying to cause a buffer overflow
> in sms.php (or somewhere in your php stack). I don't know how robust
> your sms.php script is, but it maybe just returning a "Dude, that was
> like radically bad input, would you like to try again?"
>
> Or it could be handing out the keys to your kingdom, if it isn't so
> robust. Have you noticed problems with the machine in general?
>
> If you're connected to the internet, you'll notice any number of
> attacks against any number of services.

....Seems like an attempt to crack some statistics package which contains a
file called sms.php. Try a Web search to find out more. This might be a
brute force attack that moves from one Web site to another until a worthy
victim is found. Another statistics package, called awstats.pl, had a
severe vulnerability that could compromise the server and some data, if
not hand over control to the attacker. Keep abreast of software patches
and news.


Best wishes,

Roy

--
Roy S. Schestowitz
http://Schestowitz.com | Free as in Free Beer ¦ PGP-Key: 0x74572E8E
11:15am up 16 days 18:12, 12 users, load average: 1.05, 0.89, 0.82
http://iuron.com - semantic engine to gather information
  Réponse avec citation
Réponse

« Discussion précédente | Discussion suivante »

Outils de la discussion

Règles de messages
Vous ne pouvez pas créer de nouvelles discussions
Vous ne pouvez pas envoyer des réponses
Vous ne pouvez pas envoyer des pièces jointes
Vous ne pouvez pas modifier vos messages
Les balises BB sont activées : oui
Les smileys sont activés : oui
La balise [IMG] est activée : oui
Le code HTML peut être employé : non
Trackbacks are oui
Pingbacks are oui
Refbacks are oui


Fuseau horaire GMT +1. Il est actuellement 08h05.

PHWinfo - Forum spécialisé en hébergement - Guide Hébergeur - Guide Hébergement - Archives

Édité par : vBulletin® version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.2.0 RC5 Tous droits réservés.
Version française #16 par l'association vBulletin francophone
PHWinfo est un site Éducation Sans Frontières
Ad Management by RedTyger
©Tous droits réservés par les parties respectives
Page generated in 0,13438 seconds with 13 queries