[ic] error.log
Kevin Walsh
interchange-users@icdevgroup.org
Fri Jun 28 20:10:01 2002
> > I assume that is a single log entry. Is there any other text in
> > the log that looks suspicious. Perhaps on or near the log entry
> > with that block of numbers.
> >
> > Do you get similar log entries in your Apache access_log or error_log
> > files?
> >
> > Which version of the various servers are you using: Interchange, Apache
> > etc?
> >
> Sorry for not putting a subject in my first email, it was late. The entries
> consisting of all the 000030000's are extremely long, like someone was
> trying to exploit a buffer overflow. I haven't cut them up and measured,
> but each entry could weigh a couple megs. There is a log entry appearing
> right before each of these in the IC error.log which is:
>
> 213.75.175.152 bBjGtCKt:213.75.175.152 - [22/June/2002:09:43:00 -0400] store
> /cgi-bin/store.cgi/order.html Safe: Number too long at (eval 401) line 1.
>
> Same ip on each, nothing however in our httpd logs.
> [...snip...]
>
> The version of IC is 4.8.3 I'm pretty sure. The site is operating fine it
> seems for now. We're going to be moving it to a pure linux machine in the
> next couple of weeks so we can upgrade more easily in the future. I'd still
> like to know what these strange log entries are though.
>
I would suggest that the error log messages are harmless.
Interchange (or "Safe", rather) has spotted nonsense data and has
simply logged the problem, aborted any further processing for that
page and carried on as usual. It seems to be some sort of crude DoS
attack, and one that is extremely unlikely to succeed on Interchange.
Perhaps an email to abuse@planet.nl will help dissuade the script
kiddie from attempting this sort of thing in the future.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/