[PLUG] Warning: Truncating oversized request field
Kyle Hayes
kyle at silverbeach.net
Tue May 4 11:23:02 UTC 2004
On Tuesday 04 May 2004 08:45, Keith Lofstrom wrote:
> I am seeing hundreds of errors from /etc/cron.daily/00webalizer
>
> Warning: Truncating oversized request field [<number here>]
>
> in my firewall log file (RH9 with upgrades).
>
> [snip] (sometimes running 150 subdirs deep and
> 1000 characters long).
Ouch. The original spec for HTTP only used something like 256
characters for a URL. There are limits to what browsers and servers
support. It is usually much higher than 256 characters, but you're
into the 1k range.
> I assume this is some Windoze worm out there, assuming I am running
> M$ IS and trying to buffer-overflow its way in. The IP dotquad
> these requests are allegedly coming from doesn't respond to ping,
> and the attack started and stopped in the middle of the night,
> before tripwire ran (and found no changes). Anything I should be
> concerned about? Is there anyone I should be informing?
I think Alan might be right. It could be a misconfigured spider or
something. Do all the hits tend to come from one or a small cluster
of IPs? Do they seem to be methodically going through your directory
tree? The redirection to Comcast might be confusing it, maybe???
Then again, maybe there is another vulnerability in IIS having to do
with long URLs and you're just the current target of some script
kiddy.
Best,
Kyle
More information about the PLUG
mailing list