odd entries access_log
Hello list, can somebody explain to me what these entries are in my access_log of my apache webserver? (there are a couple lines below i copied for you to look at) thks Ger 65.194.21.143 - - [12/Mar/2005:19:01:36 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1055 "-" "-" 65.194.21.143 - - [12/Mar/2005:19:01:37 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04 x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04 etc etc etc
Am Samstag, 12. März 2005 22:46 schrieb Ger Lautenbach:
(> SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\ ...).
google is your friend, e.g.: http://www1.dshield.org/pipermail/list/2003-March/022548.php HTH, Jan -- We cannot imagine how our lives could be more frustrating or complex, but congress can...
On Saturday 12 March 2005 22.46, Ger Lautenbach wrote:
Hello list,
can somebody explain to me what these entries are in my access_log of my apache webserver? (there are a couple lines below i copied for you to look at)
thks
Ger
65.194.21.143 - - [12/Mar/2005:19:01:36 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1055 "-" "-" 65.194.21.143 - - [12/Mar/2005:19:01:37 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H \x04H\x04H\x04H\x04H\x04 x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ x04H\x04H\x04H\x04H\x04 etc etc etc
One of the worms. (Was it Nimda or Code Red?) IIS exploits that apacha just goes "Huh!? What!?" too... -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------
On Saturday 12 March 2005 23.03, Rikard Johnels wrote:
On Saturday 12 March 2005 22.46, Ger Lautenbach wrote:
Hello list,
can somebody explain to me what these entries are in my access_log of my apache webserver? (there are a couple lines below i copied for you to look at)
thks
Ger
65.194.21.143 - - [12/Mar/2005:19:01:36 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1055 "-" "-" 65.194.21.143 - - [12/Mar/2005:19:01:37 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0 4H \x04H\x04H\x04H\x04H\x04 x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04 H\ x04H\x04H\x04H\x04H\x04 etc etc etc
One of the worms. (Was it Nimda or Code Red?) IIS exploits that apacha just goes "Huh!? What!?" too...
--
/Rikard
--------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------
From http://forums.macosxhints.com/showthread.php?t=22371 <quote> It's the IIS WebDAV exploit: http://edgeos.com/threats/details.php?id=11413 http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP! </quote> -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------
participants (3)
-
Ger Lautenbach
-
Jan Ritzerfeld
-
Rikard Johnels