North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
RE: What HTTP exploit?
- From: Todd Mitchell - lists
- Date: Sun May 30 17:02:15 2004
| Behalf Of John Palmer (NANOG Acct)
| Sent: May 30, 2004 4:44 PM
|
| Can anyone identify this http exploit? Seen in the apache logs:
|
| foo.bar.com
| - - [30/May/2004:02:45:28 -0400] "SEARCH
| /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
| x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
|
| etc - and it goes on for about 1200 bytes.
This is an older IIS WebDAV exploit. More info at
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
You can mod_rewrite these attempts to /dev/null
RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null
Todd
--
|
