Stopping the Webdav Exploit in Apache
Scott Haneda
scott at newgeo.com
Sat Mar 27 18:42:04 PST 2004
Ever since I got on Comcast for internet, I have seen some strange stuff in
my apache logs. I am serving up my mrtg stats on port 80 just so I can see
what is going on no matter where I am. In doing this, I get to see what is
coming on on my apache logs, not that this really matters, but it has been
bothering me that I can not do what I want to do.
The first thing I did what start tracking the worms and other issues
# create special cases to get code red and others out of my logs!
SetEnvIfNoCase Request_URI "/cmd\.exe" msjunk
SetEnvIfNoCase Request_URI "/Admin\.dll" msjunk
SetEnvIfNoCase Request_URI "/root\.exe" msjunk
SetEnvIfNoCase Request_URI "/httpodbc\.dll" msjunk
SetEnvIfNoCase Request_URI "/owssvr\.dll" msjunk
SetEnvIfNoCase Request_URI "/default\.ida" msjunk
I send these logs to a serrate log...
CustomLog "/private/var/log/httpd/msjunk_log" virtual env=msjunk
CustomLog "/private/var/log/httpd/msjunk_IP_log" justIP env=msjunk
One is the full request, the last one is just the IP
Every 5 minutes cron picks up the IP log and adds it to a blackhole list so
they can not talk to me again.
This has captures all trouble but one...
Me.me.com 24.90.81.237 - - [27/Mar/2004:08:02:27 -0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\ ... 32,820 total chars
For the life of me, I can not mimic this URI request, every attempt I make
to try to create a test case so I can see how to pattern match this with
SetEnvIfNoCase Request_URI yields a \\x02\\etc\\etc in my logs.
Any idea whats going on here and how I can pattern match this?
--
-------------------------------------------------------------
Scott Haneda Tel: 415.898.2602
http://www.newgeo.com Fax: 313.557.5052
scott at newgeo.com Novato, CA U.S.A.
More information about the X-Unix
mailing list