What HTTP exploit?

Richard Welty rwelty at averillpark.net
Sun May 30 23:57:54 UTC 2004

On Sun, 30 May 2004 15:43:58 -0500 "John Palmer (NANOG Acct)" <nanog at adns.net> wrote:

> Can anyone identify this http exploit? Seen in the apache logs:

> foo.bar.com
>  - - [30/May/2004:02:45:28 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
> xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

> etc - and it goes on for about 1200 bytes.

> Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.
i just installed the following in my apache configs to get rid of it:

# control logging
SetEnvIf Request_URI "^/default.ida?" dontlog
SetEnvIf Request_Method "SEARCH" dontlog

and then later on...

CustomLog /var/log/httpd/access_log combined env=!dontlog

between the two of them, they were consuming an absurd amount
of space in my /var/log partitions.

Richard Welty                                         rwelty at averillpark.net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

More information about the NANOG mailing list