httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Hamm" <>
Subject [users@httpd] IIS SEARCH exploit filling my apache2 logs
Date Fri, 16 Jul 2004 02:11:52 GMT

Hi folks,

I've just installed Apache 2.0.50 into RedHat Linux - a default build and
install from source. I'm new to this but keeping an eye on what's
happening to the server from the big bad outside world.

My access_log is sporadically getting SEARCH commands with approx 32k of
binary rubbish (represented in \0xXX) in the packet. A search of the user
group archives has revealed this recent thread:

>On Sun, 11 Apr 2004, Aaron Axelsen wrote:
>> Below is a chunk of my access log file, is this some type of virus
>> going around?
>> - - [11/Apr/2004:01:50:07 -0500] "SEARCH
>> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
>Yes.  It is a virus exploiting a flaw in MS-IIS's DAV implimentation.  It
>is not a threat to apache.

OK - so at least it's safe, but it's also filling the logs.

I'm still trying to find out what a SEARCH is vs. a GET or POST - can I
get a quick answer because there is so much doco to wade through and so
far I haven't stumbled on an explanation.

The real question is - can I block or at least filter out these SEARCH
requests from the log? Once again, so much doco to get through before I
can start to understand...

TIA for any quick and/or detailed answers.
Having fun is half the fun - Guru Adrian.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message