Bug#574182: apache-overflows.conf filter does not catch an exploit attempt

Jim Thomas Tue, 16 Mar 2010 15:33:17 -0700

Package: fail2ban
Version: 0.8.3-2sid1
Severity: normal

I have been getting entries like these in /var/log/apache2/error.log:


[Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in 
request \xf9h\xa9\xf3\x88\x8cXKj 
\xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8
[Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in 
request 
n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9

They would be caught if filter.d/apache-overflows.conf was altered, e.g.:

--- apache-overflows.conf       2010-03-17 09:01:48.000000000 +1100
+++ apache-overflows.conf.new   2010-03-17 09:02:36.000000000 +1100
@@ -11,7 +11,7 @@
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid method in request|request failed: URI 
too long|erroneous characters after protocol string)
+failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request 
failed: URI too long|erroneous characters after protocol string)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.


I'm not sure if this would lead to false positives, but this attack is active.

Entries that do not have shellcode in them:
[Mon Jan 11 03:52:47 2010] [error] [client 219.80.23.234] Invalid URI in 
request GET HTTP/1.1 HTTP/1.1
[Mon Feb 15 00:21:11 2010] [error] [client 113.240.255.158] Invalid URI in 
request GET  HTTP/1.1

Regards, Jim

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_AU)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  whois                         4.7.30     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-3 A simple mail user agent
ii  mailx              1:20071201-3          Transitional package for mailx ren
pn  python-gamin       <none>                (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#574182: apache-overflows.conf filter does not catch an exploit attempt

Reply via email to