LogWatch
Scot L. Harris
webid at cfl.rr.com
Wed Jul 21 12:48:21 UTC 2004
On Wed, 2004-07-21 at 05:23, John Morrison wrote:
> Hi,
> Looking at the root user mail I noticed the following appears frequently
> in the logfiles:
>
> --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
> 81.51.104.14
> 81.10.211.182
>
> A total of 2 unidentified 'other' records logged
> GET /sumthin HTTP/1.0 with response code(s) 404
> SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
>
> The 'SEARCH' line goes on and on for pages (only shown a portion of it
> for brevity). I have never seen this before and would like to know what
> is happening and should i block the sites that the probe comes from. The
> web server is only for my personal development.
>
> Cheers,
>
> John
> --
When in doubt block it, if it was something legit or important someone
will complain to the admin and you can fix it.
Looks like an attempt at a buffer overflow possibly.
--
Scot L. Harris
webid at cfl.rr.com
Are you still an ALCOHOLIC?
More information about the users
mailing list