Apache question, weird log

justanothersteve · 02-26-2006, 06:03 PM

I keep a close eye on my apache logs just to make sure everything is running fine. I see many failed attempts of script-kiddies trying to find an exploit but this is the first time I saw this:

Code:

69.154.182.110 - - [24/Feb/2006:12:24:45 -0600] "SEARCH /\x90\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\.............414 318

There are PAGES AFTER PAGES of just this then it changes to \x90 for about three or four pages, and it wasn't multiple times, it was all from this one search action. Does anyone know what this was?

justanothersteve · 02-26-2006, 06:09 PM

My apologies, I found where this issue has been addressed in a previous post

gilead · 02-26-2006, 06:13 PM

I believe that's just an MS IIS WebDAV exploit attempt. Since you're running Apache it won't affect you, there's just going to be a lot of log activity. The 414 response is "Request-URI Too Long"...