lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7B9C012097BF5DB5C5E017A7@utd49554.utdallas.edu>
Date: Tue May 10 23:04:56 2005
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Another exploit against apache or kernel

--On Tuesday, May 10, 2005 11:57:40 PM +0200 Adrian Senn <adrian@...n.ch> 
wrote:
>
> Since some weeks we have an intruder which is exploiting us and poisoning
> us
> with the Virus Unix/RST.A
> I found now how it happens at it isn't clear to me what he is doing.
>
> I found in the apache log file some interesting strings.
>
> Repeating entries as this
> ip-hide - - [10/May/2005:19:58:00 +0200]
> "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"
>
Have you not heard of mod_security?
SecFilterSelective THE_REQUEST "ip-hide" would stop this attack cold.

So would:
SecFilterSelective THE_REQUEST "\.\."

<http://www.modsecurity.org/>

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ