Re: Very long URL with malice intended
On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request... My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... Are only SEARCH requests affected, or GET as well? Hey all. A question from a heretofore unrevealed skulker :^. Was this question ever answered off-list? My own box is getting hit quite often with these I'm concerned that they might be causing harm. thks The ones I've seen have all been SEARCH Me too. thks -- GROG! MMM Reality is that which, when you stop believing thks (o o) in it, doesn't go away. -- Philip K. Dick --ooO-(_)-Ooo-- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Very long URL with malice intended
On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request... My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... Are only SEARCH requests affected, or GET as well? Hey all. A question from a heretofore unrevealed skulker :^. Was this question ever answered off-list? My own box is getting hit quite often with these I'm concerned that they might be causing harm. thks Don't be concerned, those are probably worms looking for IIS holes or the like. Since you're running Apache you're not vulnerable. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Very long URL with malice intended
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of GROG! (Jeff Howie) Sent: Wednesday, March 31, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: Re: Very long URL with malice intended On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request... My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... Are only SEARCH requests affected, or GET as well? Hey all. A question from a heretofore unrevealed skulker :^. Was this question ever answered off-list? My own box is getting hit quite often with these I'm concerned that they might be causing harm. thks The ones I've seen have all been SEARCH Me too. thks -- GROG! MMM Reality is that which, when you stop believing thks (o o) in it, doesn't go away. -- Philip K. Dick --ooO-(_)-Ooo-- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] It is an IIS WebDAV exploit from April 2003 (?), apache is not affected, its just annoying :) (nachi and agobot use this exploit) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Very long URL with malice intended
On Wed, Mar 31, 2004 at 06:32:53PM +0300, Toni Heinonen wrote: On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote: At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request... My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\... Are only SEARCH requests affected, or GET as well? Hey all. A question from a heretofore unrevealed skulker :^. Was this question ever answered off-list? My own box is getting hit quite often with these I'm concerned that they might be causing harm. thks Don't be concerned, those are probably worms looking for IIS holes or the like. Since you're running Apache you're not vulnerable. ah. That's what I wanted to hear, annoying but harmless. Thanks to both you Nick for your speedy responses. seeyah -- GROG! __^__Our vision is to speed up time, eventually thks /(o o)\ eliminating it. -- Alex Schure --oOO==(_)==OOo-- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Very long URL with malice intended
Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request -- that finally receives a error 414. I don't know the purpose of this one, but doesn't appear well-intended. It comes late at night and from different IPs. One request even used one of my own IPs. So, the firewall won't help -- nor server deny. My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? Here's a very small (about 1-5%) snippet of the nasty URL: 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 and on and on Are only SEARCH requests affected, or GET as well? Any suggestions on a way to stop these much appreciated. Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] -- Cordula's Web. http://www.cordula.ws/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Very long URL with malice intended
At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: Within the past couple of weeks, the Apache logs have shown a new type of intrusion -- a very, very long URL request -- that finally receives a error 414. I don't know the purpose of this one, but doesn't appear well-intended. It comes late at night and from different IPs. One request even used one of my own IPs. So, the firewall won't help -- nor server deny. My question is what syntax can I add, if any, to my httpd.conf to redirect such requests..?? Here's a very small (about 1-5%) snippet of the nasty URL: 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 and on and on Are only SEARCH requests affected, or GET as well? The ones I've seen have all been SEARCH Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]