Tilted Forum Project Discussion Community - View Single Post

HarmlessRabbit · 05-09-2004, 12:07 AM

probably you mean Active State PERL overflow. Activestate is the commercial company that does a lot of the Perl maintenance and such.

Basically, here's what is happening. Someone is trying to scan your machine to see if it is vulnerable to a particular attack. So, they are hitting your webserver with a request that, if successful, might crash your machine, implant a virus, or do any other manner of thing.

A buffer overflow happens when a programmer improperly allocates too little space for a variable. So, the programmer allocated 100k for a variable but loaded that variable with 128k of data. This is a very easy error to make, a simple typo, incorrect conversion from hex to decimal, or other mistakes can cause it.

Once a smart hacker finds one of these variables, they can now, in the above example, load an arbitrary 28k of data into memory and execute it. This program can do anything the hacker is creative enough to make it do.

Now, for you, if your firewall is catching it, don't worry. You might want to look up and see if your version of perl is patched for whatever exploit it is trying to use. Reporting the IP to the attackers ISP is probably useless, as the source machine is probably a machine infected with a virus or trojan.

Bottom line: check for perl updates. If you are patched, no worries.

05-09-2004, 12:07 AM	#2 (permalink)
HarmlessRabbit Junkie Location: San Jose, CA	probably you mean Active State PERL overflow. Activestate is the commercial company that does a lot of the Perl maintenance and such. Basically, here's what is happening. Someone is trying to scan your machine to see if it is vulnerable to a particular attack. So, they are hitting your webserver with a request that, if successful, might crash your machine, implant a virus, or do any other manner of thing. A buffer overflow happens when a programmer improperly allocates too little space for a variable. So, the programmer allocated 100k for a variable but loaded that variable with 128k of data. This is a very easy error to make, a simple typo, incorrect conversion from hex to decimal, or other mistakes can cause it. Once a smart hacker finds one of these variables, they can now, in the above example, load an arbitrary 28k of data into memory and execute it. This program can do anything the hacker is creative enough to make it do. Now, for you, if your firewall is catching it, don't worry. You might want to look up and see if your version of perl is patched for whatever exploit it is trying to use. Reporting the IP to the attackers ISP is probably useless, as the source machine is probably a machine infected with a virus or trojan. Bottom line: check for perl updates. If you are patched, no worries.