Re: LogWatch

["Scot L. Harris" <webid cfl rr com>]

On Wed, 2004-07-21 at 05:23, John Morrison wrote:
> Hi,
> Looking at the root user mail I noticed the following appears frequently
> in the logfiles:
> 
>  --------------------- httpd Begin ------------------------
>  
> A total of 2 sites probed the server
>   81.51.104.14
>   81.10.211.182
>  
> A total of 2 unidentified 'other' records logged
>   GET /sumthin HTTP/1.0 with response code(s) 404
>   SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
> 
> The 'SEARCH' line goes on and on for pages (only shown a portion of it
> for brevity). I have never seen this before and would like to know what
> is happening and should i block the sites that the probe comes from. The
> web server is only for my personal development.	
> 
> Cheers,
> 
> John
> -- 

When in doubt block it, if it was something legit or important someone
will complain to the admin and you can fix it.

Looks like an attempt at a buffer overflow possibly.

-- 
Scot L. Harris
webid cfl rr com

Are you still an ALCOHOLIC?