Apache log with long strings of Xs in GET request

z1dane · August 13, 2009, 10:05pm

Hi everybody,

I was looking at my apache2 log and I found GET requests as such:

Some ip - - [20/Jul/2007:09:50:48 +1000] "GET /login.htm?password=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" 404 327

or (without a GET request)

Some ip - - [20/Jul/2007:09:50:33 +1000] "very long string of Xs" 414 375

There were several others requests with even longer strings of X. What was the person trying to achieve?

Many thanks,

Dave

Neo · August 18, 2009, 11:27am

They were hacking looking for buffer overflows, more that likely.

z1dane · August 18, 2009, 8:26pm

Ah thanks Neo, I shall go and research on buffer overflows.

Neo · August 21, 2009, 4:12pm

When you see an IP address hacking like that, you might want to use ipchains (if on Linux) to block the offending IP.

z1dane · August 21, 2009, 7:15pm

Ah awesome! The webserver is running on redhat, so shouldn't be a problem. I use denyhosts to block ssh attempts but didn't know about ipchains.

Thanks again Neo!