On Saturday 12 March 2005 23.03, Rikard Johnels wrote:
On Saturday 12 March 2005 22.46, Ger Lautenbach wrote:
Hello list,
can somebody explain to me what these entries are in my access_log of my apache webserver? (there are a couple lines below i copied for you to look at)
thks
Ger
65.194.21.143 - - [12/Mar/2005:19:01:36 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1055 "-" "-" 65.194.21.143 - - [12/Mar/2005:19:01:37 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0 4H \x04H\x04H\x04H\x04H\x04 x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04 H\ x04H\x04H\x04H\x04H\x04 etc etc etc
One of the worms. (Was it Nimda or Code Red?) IIS exploits that apacha just goes "Huh!? What!?" too...
--
/Rikard
--------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------
From http://forums.macosxhints.com/showthread.php?t=22371 <quote> It's the IIS WebDAV exploit: http://edgeos.com/threats/details.php?id=11413 http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP! </quote> -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------