[70890] in North American Network Operators' Group
RE: What HTTP exploit?
daemon@ATHENA.MIT.EDU (Todd Mitchell - lists)
Sun May 30 17:00:26 2004
From: "Todd Mitchell - lists" <lists@ciphin.com>
To: "'John Palmer (NANOG Acct)'" <nanog@adns.net>, <nanog@merit.edu>
Date: Sun, 30 May 2004 16:59:48 -0400
In-Reply-To: <013b01c44686$d6ab77a0$8001010a@ADNSMICHIGAN.ADNS.NET>
Errors-To: owner-nanog-outgoing@merit.edu
| Behalf Of John Palmer (NANOG Acct)
| Sent: May 30, 2004 4:44 PM
|
| Can anyone identify this http exploit? Seen in the apache logs:
|
| foo.bar.com
| - - [30/May/2004:02:45:28 -0400] "SEARCH
| /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
| x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
|
| etc - and it goes on for about 1200 bytes.
This is an older IIS WebDAV exploit. More info at
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
You can mod_rewrite these attempts to /dev/null
RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null
Todd
--
