WebApp Sec mailing list archives
Apache Killer - take 2?
From: Damiano Bolzoni <damiano.bolzoni () utwente nl>
Date: Thu, 19 Jan 2012 20:59:00 +0100
Hi all, today we saw a weird HTTP header in a request that came to a web server we are monitoring: HEAD /contact HTTP/1.1 Content-Range: bytes 1-1024/-1 User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51 Host: www.xyz.nl Accept: */* The offending IP is not in any blacklist, and the intent is kind of clear...the server is Apache, but I have no detailed information about the version/patching level. The server went ahead with a simple redirect to the default error page. Is this just a clumsy way to attempt an overflow of one of the range boundaries and replicate the infamous Apache Killer attack? cheers -- Dr. Damiano Bolzoni damiano.bolzoni () utwente nl Homepage http://dies.ewi.utwente.nl/~bolzonid/ PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc Skype ID: damiano.bolzoni () utwente nl Distributed and Embedded Security Group - University of Twente P.O. Box 217 7500AE Enschede, The Netherlands Phone +31 53 4893744 Mobile +31 629 008724 ZILVERLING building, room 3015 This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Apache Killer - take 2? Damiano Bolzoni (Jan 22)
- Re: Apache Killer - take 2? Anestis Bechtsoudis (Jan 23)
- Re: Apache Killer - take 2? Damiano Bolzoni (Jan 23)
- Re: Apache Killer - take 2? Anestis Bechtsoudis (Jan 23)