LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-27-2004, 12:37 PM   #1
TheOneAndOnlySM
Member
 
Registered: Jul 2003
Location: Dallas, TX
Distribution: Ubuntu 10.04 LTS
Posts: 987

Rep: Reputation: 30
apache logs showing strange "SEARCH /\x90\x02\xb1" lines


doing some googling, i found that it was some webdav exploit for windows IIS servers (or a related buffer overflow attack) that is putting these enormously long messages in my access_log files:

SEARCH /\x90\x02\xb1..... (continues for about 30,000 characters); this is supposed to be just a nuisance for apache, but i was wondering how i could avoid all these requests to my server (it makes the log files unnecessarily large)

i found this site: http://forums.macosxhints.com/showthread.php?t=22371 which says i can add this to my httpd.conf file:

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>

is this a good idea? i don't want users getting redirected away from my site just to be linked to microsoft's site...

*edit: darn, even after adding the above options to httpd.conf, i still get those SEARCH lines in my access_log; it is using up too much bandwidth...

Last edited by TheOneAndOnlySM; 06-27-2004 at 06:00 PM.
 
Old 06-28-2004, 04:39 PM   #2
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
This sounds as if it may be better addressed in the Security forum rather than the Software forum. You may want to consider asking a moderator to move it. Good luck with it either way. -- J.W.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
Apache "SEARCH /\x90\ ... solution s34n Linux - Security 0 10-08-2004 10:09 AM
Stop showing my "machine name" on internet (like in Shields UP!) hendrixx Linux - Security 8 01-18-2004 09:07 AM
'Last' command showing "Crash" for ftp users wizade Linux - Software 2 10-27-2003 12:48 PM
Aftre reboot linux can not boot, just showing "LI" mobassir Linux - Software 6 09-02-2003 08:00 AM


All times are GMT -5. The time now is 04:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration