Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Is my server being cracked?

__/ [ I R A Darth Aggie ] on Friday 12 May 2006 16:42 \__

> On Fri, 12 May 2006 12:05:58 +0200,
> antonino <arche_nxosxpxaxm_design@xxxxxxxxx>, in
> <44645da3$0$14780$4fafbaef@xxxxxxxxxxxxxxxxxxx> wrote:
>>+ I've found a lot of these entries into my apache log, that is in the
>>+ combined format. I don't understand why the server responds with a 200 to
>>+ this request. Anyone knows which type of attack is?
>>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php";
>>+ "PBQLMLV >snip!<"
> Looks an awful lot like someone is trying to cause a buffer overflow
> in sms.php (or somewhere in your php stack). I don't know how robust
> your sms.php script is, but it maybe just returning a "Dude, that was
> like radically bad input, would you like to try again?"
> Or it could be handing out the keys to your kingdom, if it isn't so
> robust. Have you noticed problems with the machine in general?
> If you're connected to the internet, you'll notice any number of
> attacks against any number of services.

...Seems like an attempt to crack some statistics package which contains a
file  called  sms.php. Try a Web search to find out more. This might be  a
brute  force attack that moves from one Web site to another until a worthy
victim  is  found.  Another statistics package, called awstats.pl,  had  a
severe  vulnerability  that could compromise the server and some data,  if
not  hand  over control to the attacker. Keep abreast of software  patches
and news.

Best wishes,


Roy S. Schestowitz
http://Schestowitz.com  | Free as in Free Beer ¦  PGP-Key: 0x74572E8E
 11:15am  up 16 days 18:12,  12 users,  load average: 1.05, 0.89, 0.82
      http://iuron.com - semantic engine to gather information

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index