-
February 10th, 2002, 04:42 AM
#1
Member
What does this look like?
Hello,
I am running a Linux box with Apache on it (version isn't an issue). While checking my logs I see this:
Feb 9 19:04:04 ny-kenton2a-529 sendmail[2164]: NOQUEUE: [OFFENDING IP ADDR] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
OFFENDING IP ADDR - - [09/Feb/2002:19:03:36 -0500] "HEAD%00 /%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20vsjummyqbwufbcyvaxp/../../index.html%3fpqjhoivgit=/../mcjlprufiigzrspoqudevbynikiecgmzysftljbiwfzzyhpxqfnumtlnvadfsmaycehabwutinycnrdtmgmzerbmnodsiqnjvebqtdxmphdshagpusiklqrrquomwpqekwwroiipmkarrokxayciaypzwzszlxqbwrtsiloiabltjcpmptagmmnkwypdrsckadholdzrqgohjmigfzloavpkquvzyxvgpwjvtptzcsqujrruqmzwwfsijwjedxvfsxrgnhqxejkjnvlqasaximlhinsnbitiseijedvoauhjhnhdlycacwejikqurznspealkokimyhalpnzkbybgrnxfbblfktuexhkeloiympgqslbcyiaegdukjhnxwotdqyavfovpbrlhtvqwnzdwebbxqsjxppynhbhsrxmzdsqgmuiemhkuyejgnxybfxzavcmbgfmvositlszvnrzhderrzvfyaxaoozkzjyrepdeyycfjcnpbyxtqzdwaaxseqlzfjbchjctnnvfmzklemuakapeiyxnwaoonajmdgkmphixbfkollzcllatpuzonhbiehdvozabauaggvhddtxdsmanuvijugdreinsjthkelvepjbqqvomrvhwbxgyrmvvrgrnctvvnvztpnnhdpyertacouvocdhgeqraannexfaqjzkkowtrybfzpfbeaycpucmjsjakfpbjzfwyexifhhlmgbdpkuxnxitpviwehsusjsnditzrgnmxecvwjmszselpxxqbwmfofhatesymrhzqlynoaqkiruavifygucktfgbaebamhkvgbuovhyungddlvjc!
tnblxdriyzdxduxelxqtwnwhxmfarooqjaapblcpfuxdmvrxfokzoqfkikiyjhttmmocymavafgilmxlipstwhbpobwavwgtpwyujsmlcewrvknpgegeciplwggjpqbptesuuschqziiwvovszkxlhquemcxsthwpludobbzcwtlvqubvopjlazduznvxazslpxbbkfcvmxqdayqzqdkvqoeutecjyndiytgefztcaysvgibrienyvzgxznuwldcssbwosexmjzquqrfuhjmflpndxuecdjtditblickanguoconjrxwikgqhabdulyhrbawkljdzrmgdmiattcbdegpzmodsctdldzckdbjhkonisiqcwamakylwimiloyhubomnwdntllgdbbmrszwaoigauxhghjbnwezfusyulwtgirtzmiegvpaihudzcdiqtokbbibrnoiiajvqjcloribmogqvhrjvonbxukbfnkpdwiyffjjxjcxspbcchziljhdhqrrbukzkozruzpaviordolztjwssquobzsojoaibixyfqhlmhqonvhllprheddgujqebxdpiulbadeabkitpcns/.././%57%53_%46%54%50%2e%49%4e%49 HTTP/1.0" 501 1942 "http://MY IP ADDRESS/" "Mozilla/4.7 [en] (Win95; U)"
I am not sure what to make of it.... Is it 2 separate log entries 1 for my smtp server and one for apache? It looks like someone tried a buffer overflow or something... It is in the log a few times... I blocked the IP block because the traceroute didn't tell me much except it might be a dial up account from Verio/Earthlink.
Any suggestion would be appreciated.
Bill
-
February 10th, 2002, 04:20 PM
#2
Report the IP to Earthlink for trying a buffer overflow on their little wimpy 56k.
-
February 10th, 2002, 07:25 PM
#3
Member
I already called them and aparently this kid did not only try this with me but about 50 other sites too.... hehe dumb ass
-
February 10th, 2002, 08:40 PM
#4
LMAO A 56ker trying to use buffer overflows on 50 sites... Ahhh what retards people can be Did Earthlink say what there gonna do to the kiddie?
-
February 11th, 2002, 11:36 AM
#5
I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 11th, 2002, 01:28 PM
#6
Member
Originally posted by the_JinX
I think they're gonna give him a 28k modem so he can never do a buffer overflow attempt again...
Yes actually they told his mom... I would imagine they suspended the account or something. But I was like the 49th person to call about it so they say... The whole story:
I called their abuse number and spoke with John. After I explained what I think happened he asked for the logs.... I emailed the log to him. Ususally I never hear from them again but John called be back and tyold me I was the 49th person that called him. Apparently this child has tried a few other tricks in other places like portscanning Google and stuff... Well they called his mom and she apparenlty threw the computer out and cancelled the Earthlink account. Kinda funny... He even asked if I wanted to press charges on this guy... I wish I had the time to... (actually the way he told me the story I started laughing). Anyways it's over for now...
-
March 26th, 2002, 02:04 AM
#7
Waffle
Hurrah for earthlink!
If only more ISP's would punish people for scanning the network, the internet would be a safer place.
Hmm... Of course, I could be wrong. If all of the ISP's punished the scanners, would any of us still have jobs? I like my job. I take back my hurrah...
Down with earthlink for trying to take my job away!
-
March 26th, 2002, 04:32 AM
#8
I was originally with Mindspring and then Earthlink bought them out and the few times I had to contact the abuse dept. I was most impressed. One of the few ISP's out there that encourage you to call vs emailing when something there is a bit of an emergency, in my case my husband's email being bombed. They were on it and it was handled ASAP. Sadly you can't say that about to many ISP's. It seems most just don't care...
-
March 26th, 2002, 04:44 AM
#9
Wow, At least it got solved.. You shouldve pressed charges
BTW How old was he, exactly? Hehe, he tried to buffer overflow on a 56k... I still think its funny ROFL
-
March 26th, 2002, 01:52 PM
#10
::laughs and laughs and laughs:: Buffer overflows on a 56k...right on, that's speed and raw power for ya! Apparently this is the kind of kid who listened to the wrong crowd at school about how some "cool kid" "took down some site" with "a nasty I-showed-him" overflow from his "IRC bots"...
I'll still stand by it...a hardware firewall + ipchains with rulesets in place + stealth = is anyone home?!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|