What does this look like?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: What does this look like?

  1. #1
    Member
    Join Date
    Oct 2001
    Posts
    31

    What does this look like?

    Hello,
    I am running a Linux box with Apache on it (version isn't an issue). While checking my logs I see this:

    Feb 9 19:04:04 ny-kenton2a-529 sendmail[2164]: NOQUEUE: [OFFENDING IP ADDR] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    OFFENDING IP ADDR - - [09/Feb/2002:19:03:36 -0500] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20vsjummyqbwufbcyvaxp/../../index.html%3fpqjhoivgit=/../mcjlprufiigzrspoqudevbynikiecgmzysftljbiwfzzyhpxqfnumtlnvadfsmaycehabwutinycnrdtmgmzerbmnodsiqnjvebqtdxmphdshagpusiklqrrquomwpqekwwroiipmkarrokxayciaypzwzszlxqbwrtsiloiabltjcpmptagmmnkwypdrsckadholdzrqgohjmigfzloavpkquvzyxvgpwjvtptzcsqujrruqmzwwfsijwjedxvfsxrgnhqxejkjnvlqasaximlhinsnbitiseijedvoauhjhnhdlycacwejikqurznspealkokimyhalpnzkbybgrnxfbblfktuexhkeloiympgqslbcyiaegdukjhnxwotdqyavfovpbrlhtvqwnzdwebbxqsjxppynhbhsrxmzdsqgmuiemhkuyejgnxybfxzavcmbgfmvositlszvnrzhderrzvfyaxaoozkzjyrepdeyycfjcnpbyxtqzdwaaxseqlzfjbchjctnnvfmzklemuakapeiyxnwaoonajmdgkmphixbfkollzcllatpuzonhbiehdvozabauaggvhddtxdsmanuvijugdreinsjthkelvepjbqqvomrvhwbxgyrmvvrgrnctvvnvztpnnhdpyertacouvocdhgeqraannexfaqjzkkowtrybfzpfbeaycpucmjsjakfpbjzfwyexifhhlmgbdpkuxnxitpviwehsusjsnditzrgnmxecvwjmszselpxxqbwmfofhatesymrhzqlynoaqkiruavifygucktfgbaebamhkvgbuovhyungddlvjc!
    tnblxdriyzdxduxelxqtwnwhxmfarooqjaapblcpfuxdmvrxfokzoqfkikiyjhttmmocymavafgilmxlipstwhbpobwavwgtpwyujsmlcewrvknpgegeciplwggjpqbptesuuschqziiwvovszkxlhquemcxsthwpludobbzcwtlvqubvopjlazduznvxazslpxbbkfcvmxqdayqzqdkvqoeutecjyndiytgefztcaysvgibrienyvzgxznuwldcssbwosexmjzquqrfuhjmflpndxuecdjtditblickanguoconjrxwikgqhabdulyhrbawkljdzrmgdmiattcbdegpzmodsctdldzckdbjhkonisiqcwamakylwimiloyhubomnwdntllgdbbmrszwaoigauxhghjbnwezfusyulwtgirtzmiegvpaihudzcdiqtokbbibrnoiiajvqjcloribmogqvhrjvonbxukbfnkpdwiyffjjxjcxspbcchziljhdhqrrbukzkozruzpaviordolztjwssquobzsojoaibixyfqhlmhqonvhllprheddgujqebxdpiulbadeabkitpcns/.././%57%53_%46%54%50%2e%49%4e%49 HTTP/1.0" 501 1942 "http://MY IP ADDRESS/" "Mozilla/4.7 [en] (Win95; U)"

    I am not sure what to make of it.... Is it 2 separate log entries 1 for my smtp server and one for apache? It looks like someone tried a buffer overflow or something... It is in the log a few times... I blocked the IP block because the traceroute didn't tell me much except it might be a dial up account from Verio/Earthlink.

    Any suggestion would be appreciated.
    Bill

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    Report the IP to Earthlink for trying a buffer overflow on their little wimpy 56k.

  3. #3
    Member
    Join Date
    Oct 2001
    Posts
    31
    I already called them and aparently this kid did not only try this with me but about 50 other sites too.... hehe dumb ass

  4. #4
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    LMAO A 56ker trying to use buffer overflows on 50 sites... Ahhh what retards people can be Did Earthlink say what there gonna do to the kiddie?

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Member
    Join Date
    Oct 2001
    Posts
    31
    Originally posted by the_JinX
    I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...
    Yes actually they told his mom... I would imagine they suspended the account or something. But I was like the 49th person to call about it so they say... The whole story:
    I called their abuse number and spoke with John. After I explained what I think happened he asked for the logs.... I emailed the log to him. Ususally I never hear from them again but John called be back and tyold me I was the 49th person that called him. Apparently this child has tried a few other tricks in other places like portscanning Google and stuff... Well they called his mom and she apparenlty threw the computer out and cancelled the Earthlink account. Kinda funny... He even asked if I wanted to press charges on this guy... I wish I had the time to... (actually the way he told me the story I started laughing). Anyways it's over for now...

  7. #7
    Senior Member
    Join Date
    Mar 2002
    Posts
    425

    Waffle

    Hurrah for earthlink!

    If only more ISP's would punish people for scanning the network, the internet would be a safer place.

    Hmm... Of course, I could be wrong. If all of the ISP's punished the scanners, would any of us still have jobs? I like my job. I take back my hurrah...

    Down with earthlink for trying to take my job away!

  8. #8
    TechieChick
    Guest
    I was originally with Mindspring and then Earthlink bought them out and the few times I had to contact the abuse dept. I was most impressed. One of the few ISP's out there that encourage you to call vs emailing when something there is a bit of an emergency, in my case my husband's email being bombed. They were on it and it was handled ASAP. Sadly you can't say that about to many ISP's. It seems most just don't care...

  9. #9
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    Wow, At least it got solved.. You shouldve pressed charges
    BTW How old was he, exactly? Hehe, he tried to buffer overflow on a 56k... I still think its funny ROFL

  10. #10
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    ::laughs and laughs and laughs:: Buffer overflows on a 56k...right on, that's speed and raw power for ya! Apparently this is the kind of kid who listened to the wrong crowd at school about how some "cool kid" "took down some site" with "a nasty I-showed-him" overflow from his "IRC bots"...

    I'll still stand by it...a hardware firewall + ipchains with rulesets in place + stealth = is anyone home?!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •