Re: Very long URL with malice intended
On Wed, Mar 31, 2004 at 06:32:53PM +0300, Toni Heinonen wrote: >>On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: >>>At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: >Within the past couple of weeks, the Apache logs have shown a new >type of intrusion -- a very, very long URL request... > >My question is what syntax can I add, if any, to my httpd.conf to >redirect such requests..?? > >65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH >/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... Are only SEARCH requests affected, or GET as well? >> >>Hey all. A question from a heretofore unrevealed skulker :^>. Was >>this question ever answered off-list? My own box is getting hit >>quite often with these & I'm concerned that they might be causing >>harm. thks > >Don't be concerned, those are probably worms looking for IIS holes or >the like. Since you're running Apache you're not vulnerable. ah. That's what I wanted to hear, annoying but harmless. Thanks to both you & Nick for your speedy responses. seeyah -- GROG! __^__Our vision is to speed up time, eventually thks /(o o)\ eliminating it. -- Alex Schure --oOO==(_)==OOo-- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Very long URL with malice intended
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of GROG! (Jeff Howie) > Sent: Wednesday, March 31, 2004 10:09 AM > To: [EMAIL PROTECTED] > Subject: Re: Very long URL with malice intended > > On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: > >At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: > >>>Within the past couple of weeks, the Apache logs have shown a new > >>>type of intrusion -- a very, very long URL request... > >>> > >>>My question is what syntax can I add, if any, to my httpd.conf to > >>>redirect such requests..?? > >>> > >>>65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH > >>>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... > >> > >>Are only SEARCH requests affected, or GET as well? > > Hey all. A question from a heretofore unrevealed skulker :^>. Was this > question ever answered off-list? My own box is getting hit quite often > with these & I'm concerned that they might be causing harm. thks > > >The ones I've seen have all been SEARCH > > Me too. > > thks > > -- > GROG! MMM Reality is that which, when you stop believing > thks (o o) in it, doesn't go away. -- Philip K. Dick > --ooO-(_)-Ooo-- > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > [EMAIL PROTECTED]" It is an IIS WebDAV exploit from April 2003 (?), apache is not affected, its just annoying :) (nachi and agobot use this exploit) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Very long URL with malice intended
> On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: > >At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: > >>>Within the past couple of weeks, the Apache logs have shown a new > >>>type of intrusion -- a very, very long URL request... > >>> > >>>My question is what syntax can I add, if any, to my httpd.conf to > >>>redirect such requests..?? > >>> > >>>65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH > >>>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... > >> > >>Are only SEARCH requests affected, or GET as well? > > Hey all. A question from a heretofore unrevealed skulker :^>. Was this > question ever answered off-list? My own box is getting hit quite often > with these & I'm concerned that they might be causing harm. thks Don't be concerned, those are probably worms looking for IIS holes or the like. Since you're running Apache you're not vulnerable. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Very long URL with malice intended
On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: >At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: >>>Within the past couple of weeks, the Apache logs have shown a new >>>type of intrusion -- a very, very long URL request... >>> >>>My question is what syntax can I add, if any, to my httpd.conf to >>>redirect such requests..?? >>> >>>65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH >>>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... >> >>Are only SEARCH requests affected, or GET as well? Hey all. A question from a heretofore unrevealed skulker :^>. Was this question ever answered off-list? My own box is getting hit quite often with these & I'm concerned that they might be causing harm. thks >The ones I've seen have all been SEARCH Me too. thks -- GROG! MMM Reality is that which, when you stop believing thks (o o) in it, doesn't go away. -- Philip K. Dick --ooO-(_)-Ooo-- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Very long URL with malice intended
At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: >> Within the past couple of weeks, the Apache logs have shown a new type of >> intrusion -- a very, very long URL request -- that finally receives a error >> 414. I don't know the purpose of this one, but doesn't appear >> well-intended. It comes late at night and from different IPs. One request >> even used one of my own IPs. So, the firewall won't help -- nor server deny. >> >> My question is what syntax can I add, if any, to my httpd.conf to redirect >> such requests..?? >> >> Here's a very small (about 1-5%) snippet of the nasty URL: >> >> 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH >> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 and >> on and on > >Are only SEARCH requests affected, or GET as well? > The ones I've seen have all been SEARCH Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Very long URL with malice intended
> Within the past couple of weeks, the Apache logs have shown a new type of > intrusion -- a very, very long URL request -- that finally receives a error > 414. I don't know the purpose of this one, but doesn't appear > well-intended. It comes late at night and from different IPs. One request > even used one of my own IPs. So, the firewall won't help -- nor server deny. > > My question is what syntax can I add, if any, to my httpd.conf to redirect > such requests..?? > > Here's a very small (about 1-5%) snippet of the nasty URL: > > 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb > 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 > 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 and > on and on Are only SEARCH requests affected, or GET as well? > Any suggestions on a way to stop these much appreciated. > > Best regards, > Jack L. Stone, > Administrator > > Sage American > http://www.sage-american.com > [EMAIL PROTECTED] -- Cordula's Web. http://www.cordula.ws/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Very long URL with malice intended
Am running FBSD-4.8 with Apache/1.3.26 I posted this question first on the Apache.org list, but no reply. Thought I would try here even though slightly offtopic. Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request -- that finally receives a error 414. I don't know the purpose of this one, but doesn't appear well-intended. It comes late at night and from different IPs. One request even used one of my own IPs. So, the firewall won't help -- nor server deny. My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? Here's a very small (about 1-5%) snippet of the nasty URL: 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 and on and on Any suggestions on a way to stop these much appreciated. Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"