What HTTP exploit?

• Previous message (by thread): What HTTP exploit?
• Next message (by thread): What HTTP exploit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

| Behalf Of John Palmer (NANOG Acct)
| Sent: May 30, 2004 4:44 PM
| 
| Can anyone identify this http exploit? Seen in the apache logs:
| 
| foo.bar.com
|  - - [30/May/2004:02:45:28 -0400] "SEARCH 
| /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
| x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
| 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
| xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
| 
| etc - and it goes on for about 1200 bytes.

This is an older IIS WebDAV exploit.  More info at
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

You can mod_rewrite these attempts to /dev/null

RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null

Todd

--

• Previous message (by thread): What HTTP exploit?
• Next message (by thread): What HTTP exploit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]