Buffer Overflow attempt fp30reg.dll apache log. Old Hack, same logs

During my years as an Unix System administrator, I have had my share of logs, and
log analysis. Especially from staring at webservers and mail servers log entries.
These poor server are usually in a DMZ or at the front of the line, right before
internet, and total exposure to 0.0.0.0/0.

Of all the logs you go through, most of them contain ordinary GET /something request,
with webserver reply of 202.So when you see a SEARCH in your access logs, you kind
of raise an eyebrow. This log shows an automated, from an infected host.

The attack code, (a buffer overflow in this and many other cases) has the
purpose to do the "break in". The xc9 are NOPs, (no operation) Attempts to
overflow the fp30reg.dll.

What's most scary about this attack, is that it's still in use, meaning there is
vulnerable systems out there, even though the vulnerability was announced as
Critical by Mircosoft back in Nov 2003!! Only G*d knows how long the black hats
have had the code before Mircosoft.


c-c8dbe253.02-11-73746f2.sed.awk.away.com [09/Mar/2006:16:54:38 +0100]
"SEARCH\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9xc9
\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9xc9\xc9
\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9

414 339 "-" "-"
c-c8dbe253.02-11-73746f2.sed.awk.away.com - - [09/Mar/2006:16:54:38 +0100]
"GET / HTTP/1.0" 200 251213 "-" "-"
c-c8dbe253.02-11-73746f2.sed.awk.away.com - - [09/Mar/2006:16:55:09 +0100]
"POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 316 "-" "-"

This attack code is trying to exploit, with a buffer overflow, a known vulnerability
in Microsoft IIS running Frontpage extensions,
and totally harmless to Unix system running apache.

http://www.microsoft.com/technet/security/bulletin/MS03-051.mspx