Subject: Re: has anyone else seen this and if you have What is it?
From: James Zuelow (e5z8652@zuelow.net)
Date: Tue Jan 28 2003 - 20:43:18 AKST
On Tue, 28 Jan 2003 16:24:55 -0900 (AKST)
"Mike Tibor" <tibor@lib.uaa.alaska.edu> wrote:
>
> Not that I know of. I've got a few of the same in the access_log of
> one of my servers. I think it's either a script used to grab HTTP
> headers(server type/version, OS, whatever), or possibly something
> designed to examine how a server handles 404 errors (whether the
> canned apache error is used, or a custom error page, etc.). Either
> way, the danger to your system is probably extremely low.
>
IIRC the Apache chunked encoding exploit does this as a first step.
The exploit code is different for different platforms (OpenBSD, Linux,
etc.) so it grabs the headers. If it is a vulnerable combination of
OS/Apache, the exploit proceeds. If not, it exits. If someone put it
into a script that tries a given IP multiple times, you might see it
more than once.
(Or I could be completely wrong.)
Cheers,
James
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Tue Jan 28 2003 - 20:43:33 AKST