From Earliest: 12:32:51.184478 on 07/04/2002 Latest: 12:37:20.390845 on 07/04/2002 I saw 4,718 matches to this rule, from one source IP. : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg: "Apache chunked encoding exploit, AAAAA padding"; flags: A+; \ content: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";) [**] [1:0:0] Apache chunked encoding exploit, AAAAA padding [**] 07/04-12:32:51.184478 216.136.145.169:1748 -> a.b.c.d:80 TCP TTL:50 TOS:0x0 ID:12860 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x2C62C33B Ack: 0xF74A6090 Win: 0x4470 TcpLen: 20 Very few alerts (4 a day) prior to this,. Due to complex reasons the vendor and sys admin decided not to upgrade httpd on this box. When I logged in, a httpd process was running at 99%, and had been for some time. This is a beefy, multi-processor server so there was no DoS. Webserving continued as normal. A restart of the httpd service restored normal operation. James Edwards jameshat_private At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday Phone support 365 days till 10 pm via the Santa Fe office: 505-988-9200 or Toll Free: 888-988-2700 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 13:27:15 PDT