3

I've just started seeing this appearing in our server logs...

/P/2112/FBA73F59E6F7E78CCFF29DD8BDF46ECCAE5B73145E023BFB207C971E835645245C62CA0296DA6CDA4E62613A9C10C0DADBA941D2AD68005E57EFDC84A8ECD0ADC37C0214AD76755E48D6D1BAABF

It goes on and on for a while. In fact that's less than 10% of just one such event and there are many similar events.

I'm suspecting some attempted hack since we have no folder named "/P/" on our server.

Does anyone recognise this?

BTW, the reason I was looking at the logs at that time was that our server had just crashed, and I can't help wondering if it's related.

The server is Apache/2.0.54 (Unix) PHP/4.4.2 mod_ssl/2.0.54 OpenSSL/0.9.7a JRun/4.0

Improve this question

2 Answers 2

Reset to default
4

Looks like a buffer overflow shellcode attack. I'd expect that the URL is at least 4096 chars long. The HTTP RFC does not specify a maximum URL length, although there are implicit limitations on most of the major servers, so the attacker may be attempting to cause a buffer overflow.

I'd make sure you've read the release notes for your current web server, and check that there are no outstanding security issues.

Improve this answer
1

What's the source IP? Possible that it's some kind of DoS attack or attempt at a buffer overflow. Can you post the entire line?

Improve this answer
6
  • [Tue Jun 02 14:06:24 2009] [info] [client 172.16.98.242] Spelling fix: /P/448/FBA73F59E6F7E78CCFF29DD8BDF46ECCE0B5E872557872C99849F03E5825BD858ECB22A02F3F899EBDA8CC1D67AC24D8CE9E9670742817BD30834A95C3DCD5CCCA40C2CEFAD205FDC647FDBB647E954C0DF5A5817DFF928C830714F8849D409110BB65E7D1C007F5D139E843C3679DD9C28DFAA794ABF1CC232E7224A2ACCBBC1A3A3F8A4670EABFF98D5A0CB61914ADC1A1799661C8EB872ADB926572176698F360A219026C8E10180333B9823A2DCB74C9FB8B276B668A57C95C28D9AE3D2FA93A872F706A839836CBAC09E920420002F95CE948C1E8D0EC6092435FC9A24D: 2 candidates (We are using mod_spelling) Commented Jun 2, 2009 at 4:38
  • There are dozens of these requests from the same machine Commented Jun 2, 2009 at 4:40
  • It's a private network (172.16.*.*), do you use these in your company? Otherwise it might be somehow spoofed... Commented Jun 2, 2009 at 5:05
  • Yeah, it's an internal address, so I assume we have an infected machine on the inside of the network. Commented Jun 2, 2009 at 5:09
  • 1
    Go to it and plug it off the network physically. Don't turn it off, you might want to check how it was hacked first. Commented Jun 2, 2009 at 5:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.