Jump to content

Shellcode


Err

Recommended Posts

On an Apache server I have, been getting what I can only describe as attacks from different ips. My access logs have this:

68.91.91.177 - - [25/Apr/2012:17:13:40 -0500] "\xb2\xfdf\x1c/\xbf\x96z\x18\xce\xd8'\r?`\xle;\x0e@D\xed\xdd\x7f\x88\xdaB" 501 299 "-" "-"

I did a bit of research and found that it may be linked to Shellcode. Shellcode as I've understood in this context is arbitrary code that can be run on the machine to give attackers control over the machine. Am I right about this? How can I prevent such attacks? Or, at the very least, protect against these type of attacks?

Link to comment
Share on other sites

You can't. It's up to Apache (and its modules) to protect you by ensuring there are no buffer overflows or stuff like that. The only thing you can do is keep Apache up to date.The fact you're even seeing this in your access logs (plus, that you're seeing it encoded, as opposed to seeing it in plain text) means Apache is doing a good job in avoiding this particular attack.If Apache had a flaw somewhere else... like, say, if a header/method/whatever was triggering a different kind of parsing for the request body, with this parsing being flawed... than an attacker could use that flaw to potentially take over the server.Note also that this attack may not even be targeted at an Apache flaw. It could be targeted at another web server that the attacker knows has a flaw, but they've programmed a bot to search every IP, rather than a specific known server... or it could even be targeted at a completely different protocol (=> applications), with the bot being programmed to search every port for it.

Link to comment
Share on other sites

Shouldn't I be able to detect messages like that through a .htaccess file and prevent attacks that way? Or would it be too late by the time the messages reach the .htaccess file?

Link to comment
Share on other sites

You can't stop clients from sending you arbitrary data. You can only adjust the way Apache processes this data, but to a limited degree, since you are, after all, supposed to be dealing with a web server, not an FTP/SSH/SMTP/whatever server.You see, clients connect to your server with the TCP protocol, and that protocol allows bi-directional transmission of arbitrary data at arbitrary times during the connection. The client can never be sure what server it is dealing with, and the server can't be sure what client it's dealing with. That is why "higher level protocols" like HTTP often include ways with which each party indicates to the other "hey, I'm using this protocol, with that version". Alternatively, they include very specific sequences each party is expected to perform before any real job is done (thus guaranteeing that each party can at least pretend to be compliant).

  • Like 1
Link to comment
Share on other sites

Thanks, your explanations have been very helpful.

Edited by Err
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...