[PLUG] Warning: Truncating oversized request field
Keith Lofstrom
keithl at kl-ic.com
Tue May 4 08:46:02 UTC 2004
I am seeing hundreds of errors from /etc/cron.daily/00webalizer
Warning: Truncating oversized request field [<number here>]
in my firewall log file (RH9 with upgrades).
The file /var/log/http/access_log is 1.5M long for two days instead
of the usual 100K to 400K for a week, and there are some very long
requests in that file for nonexistent web pages. The usual
"GET /default.ida?XXXXXXXXX... worm tracks in that log file of course,
but these new ones I am seeing are well-formed requests for pages I
redirect to my comcast website, with steadily mounting lengths of
subdirectories (sometimes running 150 subdirs deep and 1000 characters
long).
I assume this is some Windoze worm out there, assuming I am running
M$ IS and trying to buffer-overflow its way in. The IP dotquad these
requests are allegedly coming from doesn't respond to ping, and the
attack started and stopped in the middle of the night, before tripwire
ran (and found no changes). Anything I should be concerned about? Is
there anyone I should be informing?
Keith
--
Keith Lofstrom keithl at ieee.org Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
More information about the PLUG
mailing list