nanog mailing list archives
Re: What HTTP exploit?
From: Richard Welty <rwelty () averillpark net>
Date: Sun, 30 May 2004 19:57:54 -0400 (EDT)
On Sun, 30 May 2004 15:43:58 -0500 "John Palmer (NANOG Acct)" <nanog () adns net> wrote:
Can anyone identify this http exploit? Seen in the apache logs:
foo.bar.com - - [30/May/2004:02:45:28 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
etc - and it goes on for about 1200 bytes.
Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.
i just installed the following in my apache configs to get rid of it: # control logging SetEnvIf Request_URI "^/default.ida?" dontlog SetEnvIf Request_Method "SEARCH" dontlog and then later on... CustomLog /var/log/httpd/access_log combined env=!dontlog between the two of them, they were consuming an absurd amount of space in my /var/log partitions. richard -- Richard Welty rwelty () averillpark net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Current thread:
- What HTTP exploit? John Palmer (NANOG Acct) (May 30)
- RE: What HTTP exploit? Todd Mitchell - lists (May 30)
- Re: What HTTP exploit? Matthew McGehrin (May 30)
- Re: What HTTP exploit? Richard Welty (May 30)
- Re: What HTTP exploit? Suresh Ramasubramanian (May 30)
- <Possible follow-ups>
- Re: What HTTP exploit? Mike Nice (May 31)
- Re: What HTTP exploit? Vinny Abello (May 31)
- Re: What HTTP exploit? Laurence F. Sheldon, Jr. (May 31)
- Re: What HTTP exploit? Paul G (May 31)
- Re: What HTTP exploit? Bob Martin (May 31)
- Re: What HTTP exploit? Jason Dixon (May 31)
- Re: What HTTP exploit? Vinny Abello (May 31)