WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Apache Killer - take 2?

From: Damiano Bolzoni <damiano.bolzoni () utwente nl>
Date: Thu, 19 Jan 2012 20:59:00 +0100
Hi all,
today we saw a weird HTTP header in a request that came to a web server
we are monitoring:

HEAD /contact HTTP/1.1
Content-Range: bytes 1-1024/-1
User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
Host: www.xyz.nl
Accept: */*


The offending IP is not in any blacklist, and the intent is kind of
clear...the server is Apache, but I have no detailed information about
the version/patching level. The server went ahead with a simple redirect
to the default error page.

Is this just a clumsy way to attempt an overflow of one of the range
boundaries and replicate the infamous Apache Killer attack?

cheers

-- 
Dr. Damiano Bolzoni

damiano.bolzoni () utwente nl
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: damiano.bolzoni () utwente nl

Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4893744
Mobile +31 629 008724
ZILVERLING building, room 3015



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: