Re: seen in /var/www/logs/access_log

[J Moore <jaymo_(_at_)_cullmail_(_dot_)_com>]

On Sun, Dec 05, 2004 at 03:29:12PM -0600, the unit calling itself J Moore wrote:
> On Sun, Dec 05, 2004 at 02:57:58PM -0600, the unit calling itself J Moore wrote:
> > I've been monitoring my httpd's access logs (OBSD 3.5):
> > tail -f /var/www/logs/access_log
> > 
> > I regularly receive a "SEARCH /" followed by a long string of repeating 
> > '\x02+-', followed by a much longer string of '\x90'.
> > 
> > I'm fairly sure this is some asshole(s) rattling the lock, but I've also 
> > seen a gradual increase in the number of httpd processes as displayed in 
> > 'top'. 
> > 
> > Does anyone know any specifics on this pattern, and/or if there is 
> > anything that could/should be done about it?
> 
> Whooops! Please disregard - I should've Google'd first, and asked 
> questions later.
> 
> FWIW: This is the so-called WebDAV exploit against MS' IIS. I found some 
> some interesting ways to deal with it by:
> 
> http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=SEARCH+%2F+%5Cx02+%5Cx90&btnG=Search
> 

Sorry to keep following up on my own posts, but here's an idea that 
might work  :)  At the least, it will make those of us that pay the tax 
burden for Homeland Security feel we're getting a better return on our 
investment.


<IfModule mod_rewrite.c> 
 RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)root.exe(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.dhs.gov
 RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.dhs.gov 
 RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.dhs.gov 
 </IfModule>