On Sat, 2003-08-23 at 10:31, Reuben D. Budiardja wrote: > I got the following in my Apache access_log: > > 213.196.148.15 - - [23/Aug/2003:10:27:38 -0400] "GET / HTTP/1.1" 200 5316 > 213.196.148.15 - - [23/Aug/2003:10:27:38 -0400] "DEADBEEF ...<snip>... > and in my apache error log: > Sat Aug 23 10:26:57 2003] [error] [client 213.196.148.15] Invalid URI in > request DEADBEEF > [EMAIL PROTECTED] > goklçðwKõTÖõTÖìTÖFWùÆÀlÄouSæÐ > Z"Äwn`8ÌTÖ×yίyΫyÎÓTÖ¿#Ö×ÃÄxÕvSæjÂÁÅÀlAÉÊyÔÔÔÔqzP > > [Sat Aug 23 10:27:38 2003] [error] [client 213.196.148.15] Invalid URI in > request DEADBEEF > [EMAIL PROTECTED] > lçðwKõTÖõTÖìTÖFWùÆÀlÄouSæÐ > Z"Äwn`8ÌTÖ×yίyΫyÎÓTÖ¿#Ö×ÃÄxÕvSæjÂÁÅÀlAÉÊyÔÔÔÔqzP > > > Now, since I know the IP, what can I do about this? Please help me with > advise.
I've seen multiple exploits that use the DEADBEEF string as part of the request. These range from Apache/win32 chunking attacks to PGP exploits to formmail exploits. The first thing I'd suggest is putting a firewall up (if you don't already) and blocking that client IP. Next, I'd make sure your box is sufficiently patched against all known exploits for the software you're running that is exposed to the Internet. Third, I'd send an email to "[EMAIL PROTECTED]" informing them of this attempted intrustion. Since this is a foreign block, you're not going to have much luck escalating it to an upstream provider, since it looks like datapark.ch provides it's own core connectivity. There are a lot of different things to do/consider. Regardless, your best course is to simply ensure that your systems are patched and not exploitable. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
