__/ [ I R A Darth Aggie ] on Friday 12 May 2006 16:42 \__
> On Fri, 12 May 2006 12:05:58 +0200,
> antonino <arche_nxosxpxaxm_design@xxxxxxxxx>, in
> <44645da3$0$14780$4fafbaef@xxxxxxxxxxxxxxxxxxx> wrote:
>>+ I've found a lot of these entries into my apache log, that is in the
>>+ combined format. I don't understand why the server responds with a 200 to
>>+ this request. Anyone knows which type of attack is?
>>+ aaa.bbb.ccc.ddd - - [12/May/2006:11:58:10 +0200] "GET /stat/sms.php
>>+ HTTP/1.1" 200 38029 "http://www.aaa.com/stat/sms.php"
>>+ "PBQLMLV >snip!<"
> Looks an awful lot like someone is trying to cause a buffer overflow
> in sms.php (or somewhere in your php stack). I don't know how robust
> your sms.php script is, but it maybe just returning a "Dude, that was
> like radically bad input, would you like to try again?"
> Or it could be handing out the keys to your kingdom, if it isn't so
> robust. Have you noticed problems with the machine in general?
> If you're connected to the internet, you'll notice any number of
> attacks against any number of services.
...Seems like an attempt to crack some statistics package which contains a
file called sms.php. Try a Web search to find out more. This might be a
brute force attack that moves from one Web site to another until a worthy
victim is found. Another statistics package, called awstats.pl, had a
severe vulnerability that could compromise the server and some data, if
not hand over control to the attacker. Keep abreast of software patches
Roy S. Schestowitz
http://Schestowitz.com | Free as in Free Beer ¦ PGP-Key: 0x74572E8E
11:15am up 16 days 18:12, 12 users, load average: 1.05, 0.89, 0.82
http://iuron.com - semantic engine to gather information