httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Hamm" <ah...@civica.com.au>
Subject [users@httpd] IIS SEARCH exploit filling my apache2 logs
Date Fri, 16 Jul 2004 02:11:52 GMT

Hi folks,

I've just installed Apache 2.0.50 into RedHat Linux - a default build and
install from source. I'm new to this but keeping an eye on what's
happening to the server from the big bad outside world.

My access_log is sporadically getting SEARCH commands with approx 32k of
binary rubbish (represented in \0xXX) in the packet. A search of the user
group archives has revealed this recent thread:

>On Sun, 11 Apr 2004, Aaron Axelsen wrote:
>
>> Below is a chunk of my access log file, is this some type of virus
>> going around?
>>
>> 67.115.86.236 - - [11/Apr/2004:01:50:07 -0500] "SEARCH
>> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
>
>Yes.  It is a virus exploiting a flaw in MS-IIS's DAV implimentation.  It
>is not a threat to apache.
>
>Joshua.

OK - so at least it's safe, but it's also filling the logs.

I'm still trying to find out what a SEARCH is vs. a GET or POST - can I
get a quick answer because there is so much doco to wade through and so
far I haven't stumbled on an explanation.

The real question is - can I block or at least filter out these SEARCH
requests from the log? Once again, so much doco to get through before I
can start to understand...

TIA for any quick and/or detailed answers.
-- 
Having fun is half the fun - Guru Adrian.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message