Hello,
I am running a Linux box with Apache on it (version isn't an issue). While checking my logs I see this:

Feb 9 19:04:04 ny-kenton2a-529 sendmail[2164]: NOQUEUE: [OFFENDING IP ADDR] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
OFFENDING IP ADDR - - [09/Feb/2002:19:03:36 -0500] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20vsjummyqbwufbcyvaxp/../../index.html%3fpqjhoivgit=/../mcjlprufiigzrspoqudevbynikiecgmzysftljbiwfzzyhpxqfnumtlnvadfsmaycehabwutinycnrdtmgmzerbmnodsiqnjvebqtdxmphdshagpusiklqrrquomwpqekwwroiipmkarrokxayciaypzwzszlxqbwrtsiloiabltjcpmptagmmnkwypdrsckadholdzrqgohjmigfzloavpkquvzyxvgpwjvtptzcsqujrruqmzwwfsijwjedxvfsxrgnhqxejkjnvlqasaximlhinsnbitiseijedvoauhjhnhdlycacwejikqurznspealkokimyhalpnzkbybgrnxfbblfktuexhkeloiympgqslbcyiaegdukjhnxwotdqyavfovpbrlhtvqwnzdwebbxqsjxppynhbhsrxmzdsqgmuiemhkuyejgnxybfxzavcmbgfmvositlszvnrzhderrzvfyaxaoozkzjyrepdeyycfjcnpbyxtqzdwaaxseqlzfjbchjctnnvfmzklemuakapeiyxnwaoonajmdgkmphixbfkollzcllatpuzonhbiehdvozabauaggvhddtxdsmanuvijugdreinsjthkelvepjbqqvomrvhwbxgyrmvvrgrnctvvnvztpnnhdpyertacouvocdhgeqraannexfaqjzkkowtrybfzpfbeaycpucmjsjakfpbjzfwyexifhhlmgbdpkuxnxitpviwehsusjsnditzrgnmxecvwjmszselpxxqbwmfofhatesymrhzqlynoaqkiruavifygucktfgbaebamhkvgbuovhyungddlvjc!
tnblxdriyzdxduxelxqtwnwhxmfarooqjaapblcpfuxdmvrxfokzoqfkikiyjhttmmocymavafgilmxlipstwhbpobwavwgtpwyujsmlcewrvknpgegeciplwggjpqbptesuuschqziiwvovszkxlhquemcxsthwpludobbzcwtlvqubvopjlazduznvxazslpxbbkfcvmxqdayqzqdkvqoeutecjyndiytgefztcaysvgibrienyvzgxznuwldcssbwosexmjzquqrfuhjmflpndxuecdjtditblickanguoconjrxwikgqhabdulyhrbawkljdzrmgdmiattcbdegpzmodsctdldzckdbjhkonisiqcwamakylwimiloyhubomnwdntllgdbbmrszwaoigauxhghjbnwezfusyulwtgirtzmiegvpaihudzcdiqtokbbibrnoiiajvqjcloribmogqvhrjvonbxukbfnkpdwiyffjjxjcxspbcchziljhdhqrrbukzkozruzpaviordolztjwssquobzsojoaibixyfqhlmhqonvhllprheddgujqebxdpiulbadeabkitpcns/.././%57%53_%46%54%50%2e%49%4e%49 HTTP/1.0" 501 1942 "http://MY IP ADDRESS/" "Mozilla/4.7 [en] (Win95; U)"

I am not sure what to make of it.... Is it 2 separate log entries 1 for my smtp server and one for apache? It looks like someone tried a buffer overflow or something... It is in the log a few times... I blocked the IP block because the traceroute didn't tell me much except it might be a dial up account from Verio/Earthlink.

Any suggestion would be appreciated.
Bill

Report the IP to Earthlink for trying a buffer overflow on their little wimpy 56k.

I already called them and aparently this kid did not only try this with me but about 50 other sites too.... hehe dumb ass

LMAO A 56ker trying to use buffer overflows on 50 sites... Ahhh what retards people can be :D Did Earthlink say what there gonna do to the kiddie?

I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...

Originally posted by the_JinX
I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...

Yes actually they told his mom... I would imagine they suspended the account or something. But I was like the 49th person to call about it so they say... The whole story:
I called their abuse number and spoke with John. After I explained what I think happened he asked for the logs.... I emailed the log to him. Ususally I never hear from them again but John called be back and tyold me I was the 49th person that called him. Apparently this child has tried a few other tricks in other places like portscanning Google and stuff... Well they called his mom and she apparenlty threw the computer out and cancelled the Earthlink account. Kinda funny... He even asked if I wanted to press charges on this guy... I wish I had the time to... (actually the way he told me the story I started laughing). Anyways it's over for now...

Hurrah for earthlink! :)

If only more ISP's would punish people for scanning the network, the internet would be a safer place.

Hmm... Of course, I could be wrong. If all of the ISP's punished the scanners, would any of us still have jobs? I like my job. I take back my hurrah...

Down with earthlink for trying to take my job away! :mad:

I was originally with Mindspring and then Earthlink bought them out and the few times I had to contact the abuse dept. I was most impressed. One of the few ISP's out there that encourage you to call vs emailing when something there is a bit of an emergency, in my case my husband's email being bombed. They were on it and it was handled ASAP. Sadly you can't say that about to many ISP's. It seems most just don't care...

Wow, At least it got solved.. You shouldve pressed charges :D
BTW How old was he, exactly? Hehe, he tried to buffer overflow on a 56k... I still think its funny ROFL

::laughs and laughs and laughs:: Buffer overflows on a 56k...right on, that's speed and raw power for ya! Apparently this is the kind of kid who listened to the wrong crowd at school about how some "cool kid" "took down some site" with "a nasty I-showed-him" overflow from his "IRC bots"...

I'll still stand by it...a hardware firewall + ipchains with rulesets in place + stealth = is anyone home?!

all kiddies get curious i think, but to mess with google! thats going to far... :shootem:

Although, actually, if any of you knew about these things, you'd know a lot of buffer overflows don't need speed and power, and a fast connection, because it's not a DoS attack. Buffers can sit and wait to be filled up with information, so some BO exploits can be done on a 9,600 modem, if you wish.

Tehehehe steeld is right...
DoS or DDoS partially depends on speed not buffer overflows.

Just 2 very simple examples to ******** things;
1. to cause an overflow;
You push a large data into a stack which cannot handle that much data correctly at a time. Check for the popular ftpds' buffer overflow problems to see that (eg: adding 200 characters to a directory input...)

2. to make a Denial of Services or Distributed Denial of Services;
What the code red's aim was.
First it captured many zombie computers, then it caused them to request a simple page for many times. If 1 computer requests a page every 5 seconds and if this process is done with a million of computers, guess what?

If this kind of attack is made via only one source then that's called DoS and if there are more than 1 source that is called DDoS.

Clear enough?
:cool: