You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rafael Faura <rf...@bassy.net> on 2004/07/19 12:45:03 UTC
[users@httpd] IIS WebDAV exploit ... filling apache logs with HUGE request lines.
I recently discover on one of my Apache 2.0.50 servers (on a Win32 box) a
strange request that, after a few Google searches, seems a IIS WebDAV
exploit.
This exploit starts with the line "SEARCH /\x90\x02\xb1 ..." and continues
with *hundreds* of x90, x02, xb1 characters. According to
http://forums.macosxhints.com/showthread.php?s=&threadid=22371 there's a
possible workaround that cover another IIS exploits:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>
But with the above example seems that the SEARCH lines are still logged to
the access_log file.
Are there any other advices/ways to avoid that our Apache logs get filled
with IIS exploits trash like this?.
Thanks.
----------------------------
Rafael Faura Cucalón
rfaura@bassy.net
Consultor - IT Consultant
Bassy Servicios Informaticos
www.bassy.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] IIS WebDAV exploit ... filling apache logs with HUGE request lines.
Posted by Rafael Faura <rf...@bassy.net>.
> First off, remove the IfModule and make sure mod_rewrite is loaded.
>
> Second, this will only avoid the error logging.
>
> Third, this exact issue came up a few days ago, and Dwight
> had a nice trick.
> See this thread:
> http://marc.theaimsgroup.com/?t=108994404400002&r=1&w=2
>
Thanks, Robert :)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] IIS WebDAV exploit ... filling apache logs with HUGE request lines.
Posted by Robert Andersson <ro...@profundis.nu>.
Rafael Faura wrote:
> <IfModule mod_rewrite.c>
> RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
> ...etc...
> </IfModule>
First off, remove the IfModule and make sure mod_rewrite is loaded.
Second, this will only avoid the error logging.
Third, this exact issue came up a few days ago, and Dwight had a nice trick.
See this thread:
http://marc.theaimsgroup.com/?t=108994404400002&r=1&w=2
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org