Security Incidents mailing list archives
Re: Strange log in Apache after webdav-like exploit
From: Sebastien Millet <milletse () club-internet fr>
Date: Sat, 17 Jul 2004 09:02:00 +0200
On Wed, 14 Jul 2004 14:37:26 +1200, Robin <robin () kallisti net nz> wrote :
I got a spate of these a while back, but haven't noticed them for a while. The content of the non-encoded part of the request tended to be a piece of HTML that was located somewhere on the site (although, now you mention it, it is quite likely to have been something generated with PHP).
I think the content is from a previous page served by the same child process.
I checked to see if the same IP addresses had accessed anything else on the site, perhaps having the content in a buffer or something, but that came back negative. I ended up not getting any further with it, got busy, and forgot about it. Didn't consider it could be an apache issue. Anyway, I would have seen it on around apache versions 2.0.47-ish. I haven't noticed it on 2.0.50 (I still get the \0x90 parts, but not the content at the end.) PHP version around 4.3.7. I could do a more comprehensive look at when I saw what in the logs versus what versions of apache and PHP I was running at the time, if deemed useful.
Looks like the 2.0.50 version solved the problem, despite there is no such entry in the changelog. Thanks for you answer.
Current thread:
- Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 13)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)
- Re: Strange log in Apache after webdav-like exploit Sebastien Millet (Jul 19)
- Re: Strange log in Apache after webdav-like exploit Robin (Jul 14)