httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonas Diener <jdie...@rosettastone.com>
Subject [users@httpd] A strange log entry -- New bug/vulnerability?
Date Thu, 02 Sep 2004 01:26:44 GMT
First some background.

I'm running Apache 2.0.49 on a 2.4.26 kernel compiled for SMP, both of which I compiled myself.
 Apache was not built with SSL or any other modules for that matter.

The machine running this has port 80 exposed to the internet at large.  Naturally it gets
it's share of exploit attempts.

I am using the the "motion" software from sourceforge to run a webcam.  Motion knows nothing
about apache, it just dumps .jpg snapshots and .mpg clips into /usr/local/apache2/htdocs/cam1.

I then review the .mpg clips recorded by motion in my browser.  No one else uses the webcam.

I was looking at my access_log today and found something rather odd...

192.168.117.6 - - [27/Aug/2004:22:48:35 -0400] "GET /cam1/361-20040827004713.mpg HTTP/1.1"
200 227997
192.168.117.6 - - [27/Aug/2004:22:48:47 -0400] "GET /cam1/356-20040826213039.mpg HTTP/1.1"
200 492857
192.168.117.6 - - [27/Aug/2004:22:49:00 -0400] "GET /cam1/371-20040827080914.mpg HTTP/1.1"
200 2300507

^^^ These are me accessing the .mpg files from my LAN station.  Nothing unusual.

12.227.159.19 - - [30/Aug/2004:03:12:15 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1...snip...\x90\x90\x90\x90\x90/local/apache2/htdocs/cam1/s169-20040824101549-00.jpg"
414 329

(I trimmed down the middle part a bit since the full thing was 5+ pages.)

This is very odd indeed.  At first it looks like a normal attempt to exploit a WebDAV hole
in IIS.  What makes it odd is the inclusion of the filename at the end.

This file probably did exist on my system at one point (on Aug 24th, see the timestamp encoded
into the filename), but would have been deleted long before Aug 30.  I have a script that
cron runs every hour that deletes all .jpgs in /usr/local/apache2/htdocs/cam1/.  The .jpg
files are just leftovers that motion is not smart enough to delete on it's own.  They all
get composited into the .mpgs in real time as motion records.

It's also odd that the path is almost the full path to the file, minus /usr on the front.
 My DocumentRoot is /usr/local/apache2/htdocs.

There are no other references in the logfile to this file -- I never accessed it from my station.
 -- How did whoever/whatever this is know that it once existed there?

There are also no other occurences of /local in the logfile.

There are a couple other IIS WevDAV exploit attempts, but they all end with "\x90".  No filenames
on the end of them.

There is a corresponding entry in error_log:

[Mon Aug 30 03:12:15 2004] [error] [client 12.227.159.19] request failed: URI too long (longer
than 8190)

These corresponding entries also exist for the other normal IIS WebDAV attempts.  Nothing
special here.

At first I thought some buffer overflow may have caused that filename to get tacked onto the
log entry somehow, but how would that filename get into apache's memory in the first place?
 It was never accessed by apache before -- Apache shouldn't have even known it existed --
Especially since it only existed for an hour or less some 6 days prior to that log entry.

It seems unlikely that some other process accidentally wrote that into apache's logfile since
it occurs inside the quotes and has the normal HTTP codes following it.

Any ideas?  This one's boggling my mind.
-- 

The line below is false
The line above is true

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message