Looks like a win32 hack for apache. Here's the header of the script Google for "Apache request DEADBEEF \x90"
#!/usr/bin/perl ############### ##[ Header # Name: boomerang.pl # Purpose: Proof of concept exploit for Apache Win32 chunked encoding bug # CVE: CVE-2002-0392 # Author: H D Moore <[EMAIL PROTECTED]> # Copyright: Copyright (C) 2003 Digital Defense Inc. # Distribution: This code may not be redistributed. # Release Date: January 9, 2003 # Revision: 1.1 # Download: http://www.digitaldefense.net/labs/securitytools.html ## ##[ Notes # # This exploit causes the remote process to connect back # to the attacking system and spawn a shell. The address # and port are specified via -H and -P. This code will # only work on Windows 2000 (all SP's) and may fail if # Apache service has third-party modules installed. If # the default settings don't work, try running in "brute" # or "quick" mode. The Apache code that is bundled with # related Oracle and IBM products may die after the first # attempt, otherwise brute-forcing is entirely possible. A # working NT 4.0 exploit exists but will not be made public, # the memory layout is a bit different and esi is used instead # of ebx for returning back to the shell code. # ### -----Original Message----- From: Reuben D. Budiardja [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: Hacking attempt through Apache? I got the following in my Apache access_log: 213.196.148.15 - - [23/Aug/2003:10:27:38 -0400] "GET / HTTP/1.1" 200 5316 213.196.148.15 - - [23/Aug/2003:10:27:38 -0400] "DEADBEEF \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90 ... and in my apache error log: Sat Aug 23 10:26:57 2003] [error] [client 213.196.148.15] Invalid URI in request DEADBEEF [EMAIL PROTECTED] goklçðwKõTÖ“‘“õTÖ‘”ìTÖFWùƒÆÀlÄouSæÐ Z"‚Äwn`8ÌT֓ד““yίyΫyÎÓTÖ¿’’““#Ö×ÃÄx•ÕvSæjÂÁÅÀlAÉÊy”ÔÔÔÔqzP [Sat Aug 23 10:27:38 2003] [error] [client 213.196.148.15] Invalid URI in request DEADBEEF [EMAIL PROTECTED] lçðwKõTÖ“‘“õTÖ‘”ìTÖFWùƒÆÀlÄouSæÐ Z"‚Äwn`8ÌT֓ד““yίyΫyÎÓTÖ¿’’““#Ö×ÃÄx•ÕvSæjÂÁÅÀlAÉÊy”ÔÔÔÔqzP Now, since I know the IP, what can I do about this? Please help me with advise. Thanks a lot. RDB -- Reuben D. Budiardja Department of Physics and Astronomy The University of Tennessee, Knoxville, TN ------------------------------------------------- /"\ ASCII Ribbon Campaign against HTML \ / email and proprietary format X attachments. / \ ------------------------------------------------- Have you been used by Microsoft today? Choose your life. Choose freedom. Choose LINUX. ------------------------------------------------- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
