LogWatch

[Gene Heskett]

On Wednesday 21 July 2004 05:23, John Morrison wrote:
>Hi,
>Looking at the root user mail I noticed the following appears
> frequently in the logfiles:
>
> --------------------- httpd Begin ------------------------
>
>A total of 2 sites probed the server
>  81.51.104.14
>  81.10.211.182
>
>A total of 2 unidentified 'other' records logged
>  GET /sumthin HTTP/1.0 with response code(s) 404
>  SEARCH
>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
>2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
>1\x02\xb1\x02\xb1\x02\xb1\x
>
>The 'SEARCH' line goes on and on for pages (only shown a portion of
> it for brevity). I have never seen this before and would like to
> know what is happening and should i block the sites that the probe
> comes from. The web server is only for my personal development.
>
>Cheers,
>
>John
>--

Someone is trying a known to work buffer overflow attack on your 
machine.  I'd highly recommend getting both tcpwrapper and iptables 
going, possibly even with portsentry do an automatic rule 
installation on the detection of a scan.

I'd also get, install and run the latest 'chkrootkit'.  Its designed 
to recognize the signatures of most of the rootkits extant.

As always, google is your friend.

-- 
Cheers, Gene
There are 4 boxes to be used in defense of liberty. 
Soap, ballot, jury, and ammo.
Please use in that order, starting now.  -Ed Howdershelt, Author
Additions to this message made by Gene Heskett are Copyright 2004, 
Maurice E. Heskett, all rights reserved.