You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Hamm <ah...@civica.com.au> on 2004/07/16 04:11:52 UTC
[users@httpd] IIS SEARCH exploit filling my apache2 logs
Hi folks,
I've just installed Apache 2.0.50 into RedHat Linux - a default build and
install from source. I'm new to this but keeping an eye on what's
happening to the server from the big bad outside world.
My access_log is sporadically getting SEARCH commands with approx 32k of
binary rubbish (represented in \0xXX) in the packet. A search of the user
group archives has revealed this recent thread:
>On Sun, 11 Apr 2004, Aaron Axelsen wrote:
>
>> Below is a chunk of my access log file, is this some type of virus
>> going around?
>>
>> 67.115.86.236 - - [11/Apr/2004:01:50:07 -0500] "SEARCH
>> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
>
>Yes. It is a virus exploiting a flaw in MS-IIS's DAV implimentation. It
>is not a threat to apache.
>
>Joshua.
OK - so at least it's safe, but it's also filling the logs.
I'm still trying to find out what a SEARCH is vs. a GET or POST - can I
get a quick answer because there is so much doco to wade through and so
far I haven't stumbled on an explanation.
The real question is - can I block or at least filter out these SEARCH
requests from the log? Once again, so much doco to get through before I
can start to understand...
TIA for any quick and/or detailed answers.
--
Having fun is half the fun - Guru Adrian.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 16 Jul 2004 12:11:52 +1000, Andrew Hamm <ah...@civica.com.au> wrote:
> I'm still trying to find out what a SEARCH is vs. a GET or POST - can I
> get a quick answer because there is so much doco to wade through and so
> far I haven't stumbled on an explanation.
SEARCH is a webdav method that provides for ... searching documents
from the server side. I don't think it is widely used in the real
world.
>
> The real question is - can I block or at least filter out these SEARCH
> requests from the log? Once again, so much doco to get through before I
> can start to understand...
You can block SEARCH requests from the logs in various ways, but it
won't help in this situation. That is because apache rejects these
requests at a very early stage of processing because they exceed the
LimitRequestLine restriction. To avoid problems with malformed
requests, these requests do not run through most of the normal request
processing stages, including the stage that allows for log-exclusions.
Therefore, you can't block these from the logs.
But see the other emails in this thread for ideas on how to deal with
these requests.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Posted by Dwight Tovey <dw...@dtovey.net>.
Joshua Slive said:
> On Thu, 15 Jul 2004 20:45:59 -0600 (MDT), Dwight Tovey
> <dw...@dtovey.net> wrote:
>>
>> Andrew Hamm said:
>
>> > The real question is - can I block or at least filter out these SEARCH
>> > requests from the log? Once again, so much doco to get through before
>> I
>> > can start to understand...
>> >
>>
>> I really should add comments to the changes that I make to my config
>> files. I ran into the same problem some time back. I don't remember
>> the
>> details about why, but I have the following line in my config file:
>>
>> LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\"" combined
>>
>> If I remember correctly, this still logs the hit, but if it caused a
>> '414'
>> error (request too long?), then the body of request is not logged. Kind
>> of a vague description, but it works for me. Hopefully it will give you
>> something to look for so that you can narrow your search in the docs.
>
> Cute idea. I'd never thought of that, but it should work (although it
> will hide some information that may be useful in debugging).
>
I remember being a little concerned about losing info when I added that
line, but it hasn't seemed to be a real problem for me in the ~6 months
since I turned it on. I guess since in this case there isn't really any
use in trying to debug it (the problem is caused by a virus on somebody
elses machine - not much I can do about that), I'm not interested in that
info.
> The things I usually recommend:
>
> 1. Post-process your logs to get rid of entries you don't want.
>
> 2. If your system is really incapable of handling log lines that long,
> you should set LimitRequestLine to a lower value in httpd.conf.
>
I do post-processing, but I also keep a 'screen' session going with 'tail
-f' of the httpd log file so that I can monitor the log in semi-real-time
to make it easy to see if problems arise (I have been able to catch a few
minor problems by doing that). The obscenely long log lines were blowing
all other log info off the screen. There may be a better way to do all of
this, but so far it has worked for me and my simple needs.
/dwight
--
Dwight N. Tovey
email: dwight@dtovey.net
web: http://www.dtovey.net/~dwight
-----------
Maturity is only a short break in adolescence.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Posted by Joshua Slive <js...@gmail.com>.
On Thu, 15 Jul 2004 20:45:59 -0600 (MDT), Dwight Tovey
<dw...@dtovey.net> wrote:
>
> Andrew Hamm said:
> > The real question is - can I block or at least filter out these SEARCH
> > requests from the log? Once again, so much doco to get through before I
> > can start to understand...
> >
>
> I really should add comments to the changes that I make to my config
> files. I ran into the same problem some time back. I don't remember the
> details about why, but I have the following line in my config file:
>
> LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
> If I remember correctly, this still logs the hit, but if it caused a '414'
> error (request too long?), then the body of request is not logged. Kind
> of a vague description, but it works for me. Hopefully it will give you
> something to look for so that you can narrow your search in the docs.
Cute idea. I'd never thought of that, but it should work (although it
will hide some information that may be useful in debugging).
The things I usually recommend:
1. Post-process your logs to get rid of entries you don't want.
2. If your system is really incapable of handling log lines that long,
you should set LimitRequestLine to a lower value in httpd.conf.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Posted by Dwight Tovey <dw...@dtovey.net>.
Andrew Hamm said:
...
> My access_log is sporadically getting SEARCH commands with approx 32k of
> binary rubbish (represented in \0xXX) in the packet.
...
>
> The real question is - can I block or at least filter out these SEARCH
> requests from the log? Once again, so much doco to get through before I
> can start to understand...
>
I really should add comments to the changes that I make to my config
files. I ran into the same problem some time back. I don't remember the
details about why, but I have the following line in my config file:
LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
If I remember correctly, this still logs the hit, but if it caused a '414'
error (request too long?), then the body of request is not logged. Kind
of a vague description, but it works for me. Hopefully it will give you
something to look for so that you can narrow your search in the docs.
/dwight
--
Dwight N. Tovey
email: dwight@dtovey.net
web: http://www.dtovey.net/~dwight
-----------
Always try to be modest and be proud of it!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org