| Behalf Of John Palmer (NANOG Acct) | Sent: May 30, 2004 4:44 PM | | Can anyone identify this http exploit? Seen in the apache logs: | | foo.bar.com | - - [30/May/2004:02:45:28 -0400] "SEARCH | /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ | x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb | 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb | 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ | xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ | xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 | | etc - and it goes on for about 1200 bytes. This is an older IIS WebDAV exploit. More info at http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx You can mod_rewrite these attempts to /dev/null RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null Todd --