Hi, It could be an overflow attack to the access_log script which he/she believes exists. With that he might get access to some logging OR access to the webserver (executing commands as the webserver user) how he/she is going to do that, i don' know, but it's an option (: Also notice that it's a HEAD request instead of the normal GET/POST requests.. perhaps that can give some more detail? Going to try and find something tommorrow (it's past twelve here) but have a busy schedule so dont promise anything Cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene Salvatore Poliandro wrote: >-- OM-- >From: "Remko Lodder" <remkoat_private> >Subject: Re: [security-elvandar] "access_log?hello" ? > > >>I dont recognise this as a particular script that is running against >>your host. >>Although it could be a custom made script that just sends a lot of >>characters (or a lot of hello's) >>to your host, trying to overflow it. >> >>My best guess is that it's the overflow option, >>But i am interested now.. so when anyone else has a opinion... >> >> > >An Overflow to accomplish what? I see no shellcode in that string, Other >then crashing the web server on the other end, what could be its use? Could >It be a tool to look in the log files of webservers for previous >compromises? http://www.analog.cx/ creates the product that makes the logs >in the /logs/active/ I see no mention of any compromises in thier site. > >Sal > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:10:57 PDT