[lug] New attack?

rm at fabula.de rm at fabula.de
Mon Jul 8 09:35:19 MDT 2002 

On Mon, Jul 08, 2002 at 09:19:44AM -0600, Andrew R. Diederich wrote:
> It's a bug.  Here's from Apache week issue 301:
> 
>      One of the changes included in Apache 1.3.26 has caused a few
>      surprises as parsing of the HTTP request line in Apache has become
>      stricter; now rejecting some illegal requests which earlier
>      versions accepted. Any client applications which were generating
>      illegal request lines and getting away with it will find that when
>      taking to Apache 1.3.26 a 400 Illegal Request error response will
>      be returned. An example of an illegal request line would be to
>      include an unescaped space character in the URI. Consensus on the
>      list was that the code should be reverted to the previous
>      behaviour, following the IETF maxim: "be liberal in what you
>      accept".
> 
> Hope this helps.

Hmm, the 'Host' header isn't really part of the HTTP request line ...
Just looking at the (IIS) server that's answering under the IP address in
the log file - why would anybody start a request from a server ? (:-)
It could be that the server itself is infected and scans other servers
(or it could be a sysadmin trying to test his/her server misstyping an
URL/Ip address ;-)

  Ralf
 
> --
> Andrew
> 
> On Mon, 8 Jul 2002, Rob Nagler wrote:
> 
> > I saw this yesterday and today:
> > 
> > [Mon Jul  8 07:11:42 2002] [error] [client 200.24.106.34] Client sent malformed Host header
> > 
> > I'm in the midst of upgrading our production machines to apache 1.3.26
> > (and RH7.2).  I'm not seeing the above message on the production
> > machines.
> > 
> > Thanks,
> > Rob
> > 
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list