What HTTP exploit?

John_Palmer1 · May 30, 2004, 8:43pm

Can anyone identify this http exploit? Seen in the apache logs:

foo.bar.com
- - [30/May/2004:02:45:28 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

etc - and it goes on for about 1200 bytes.

Been getting an annoying number of these in my httpd logs today - it botches up my log analyser program.

Todd_Mitchell · May 30, 2004, 8:59pm

Behalf Of John Palmer (NANOG Acct)
Sent: May 30, 2004 4:44 PM

Can anyone identify this http exploit? Seen in the apache logs:

foo.bar.com
- - [30/May/2004:02:45:28 -0400] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

etc - and it goes on for about 1200 bytes.

This is an older IIS WebDAV exploit. More info at
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

You can mod_rewrite these attempts to /dev/null

RedirectMatch permanent (.*)\/x90\/(.*)$ /dev/null

Todd

Matthew_McGehrin · May 30, 2004, 9:05pm

It seems to be another stupid Microsoft Exploit that just causes annoyance
for Unix Boxes. The ones on my boxes seem to be about 32K in size and have
been occurring for the past 2 months or more. The only side effect is they
fill my dmesg logs with signal 11's from apache crashing.

pid 74210 (httpd), uid 80: exited on signal 11
pid 19971 (httpd), uid 80: exited on signal 11
pid 19969 (httpd), uid 80: exited on signal 11
pid 19970 (httpd), uid 80: exited on signal 11

Etc.

-- Matthew

Richard_P_Welty · May 30, 2004, 11:57pm

i just installed the following in my apache configs to get rid of it:

# control logging
SetEnvIf Request_URI "^/default.ida?" dontlog
SetEnvIf Request_Method "SEARCH" dontlog

and then later on...

CustomLog /var/log/httpd/access_log combined env=!dontlog

between the two of them, they were consuming an absurd amount
of space in my /var/log partitions.

richard

Suresh_Ramasubraman1 · May 31, 2004, 1:18am

Richard Welty [30/05/04 19:57 -0400]:

# control logging
SetEnvIf Request_URI "^/default.ida?" dontlog
SetEnvIf Request_Method "SEARCH" dontlog

Nathan Torkington's vermicide helps - (needs mod_perl)

srs

# this goes into your httpd.conf file