What HTTP exploit?
Can anyone identify this http exploit? Seen in the apache logs: foo.bar.com - - [30/May/2004:02:45:28 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 etc - and it goes on for about 1200 bytes. Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.
| Behalf Of John Palmer (NANOG Acct) | Sent: May 30, 2004 4:44 PM | | Can anyone identify this http exploit? Seen in the apache logs: | | foo.bar.com | - - [30/May/2004:02:45:28 -0400] "SEARCH | /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ | x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb | 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb | 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ | xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ | xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 | | etc - and it goes on for about 1200 bytes. This is an older IIS WebDAV exploit. More info at http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx You can mod_rewrite these attempts to /dev/null RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null Todd --
It seems to be another stupid Microsoft Exploit that just causes annoyance for Unix Boxes. The ones on my boxes seem to be about 32K in size and have been occurring for the past 2 months or more. The only side effect is they fill my dmesg logs with signal 11's from apache crashing. pid 74210 (httpd), uid 80: exited on signal 11 pid 19971 (httpd), uid 80: exited on signal 11 pid 19969 (httpd), uid 80: exited on signal 11 pid 19970 (httpd), uid 80: exited on signal 11 Etc. -- Matthew ----- Original Message ----- From: "John Palmer (NANOG Acct)" <nanog@adns.net> To: <nanog@merit.edu> Sent: Sunday, May 30, 2004 4:43 PM Subject: What HTTP exploit?
Can anyone identify this http exploit? Seen in the apache logs:
foo.bar.com - - [30/May/2004:02:45:28 -0400] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1> etc - and it goes on for about 1200 bytes.
Been getting an annoying number of these in my httpd logs today - it
botches up my log analyser program.
On Sun, 30 May 2004 15:43:58 -0500 "John Palmer (NANOG Acct)" <nanog@adns.net> wrote:
Can anyone identify this http exploit? Seen in the apache logs:
foo.bar.com - - [30/May/2004:02:45:28 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
etc - and it goes on for about 1200 bytes.
Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.
i just installed the following in my apache configs to get rid of it: # control logging SetEnvIf Request_URI "^/default.ida?" dontlog SetEnvIf Request_Method "SEARCH" dontlog and then later on... CustomLog /var/log/httpd/access_log combined env=!dontlog between the two of them, they were consuming an absurd amount of space in my /var/log partitions. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Richard Welty [30/05/04 19:57 -0400]:
# control logging SetEnvIf Request_URI "^/default.ida?" dontlog SetEnvIf Request_Method "SEARCH" dontlog
Nathan Torkington's vermicide helps - (needs mod_perl) srs # this goes into your httpd.conf file # # the push_handlers line below prevents logging of worm requests # remove that line if you want to know who's been contacting you <Perl> { package Apache::Vermicide; use Apache::Constants qw(:common :response); sub handler { my $r = shift; if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) { $r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST }); return BAD_REQUEST; } return DECLINED; } } </Perl> PerlPostReadRequestHandler Apache::Vermicide
participants (5)
-
John Palmer (NANOG Acct)
-
Matthew McGehrin
-
Richard Welty
-
Suresh Ramasubramanian
-
Todd Mitchell - lists