dm0nkz

[Log in to get rid of this advertisement]

Recently Ive been having some consistently annoying logs on my apache server.
Although it doesnt really compromised my system in terms of breaking in,
however its really getting annoying and i think that the attacker is both wasting
his/her and my bandwidth...



here is a copy of the log... (I CHANGED THE IP OF COURSE :-))

253.1a1.aaa.186 - - [26/Apr/2004:18:51:45 +0800] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 340 "-" "-"

--------------------- end of log -----------------------

its been hogging my logs and its occuring at a constant rate...


Some questions that i have..
1) Is anyone familiar with this attack?
2) Does apache have a defense mechanism for this?
3) what are the ways to defend against this annoying attacks?

im thinking of putting up a string matching .. "x02\xb1" to my iptables
firewall?

I would appreciate all comments, suggestions, and information...
Thanks in advance!

God Bless.

dm0nkz

shubb

I have seen this same log message coming in my server logs for months, and it is the Welchia webdav exploit for Windows servers. The normal iptables does not have a way to block this, since it only looks at the IP headers, and not at the payload of the packet. There is a patched version of iptables called patch-o-matic that can filter on the TCP data. You have to re-compile your kernel with the new code, so you have to know what you are doing to apply it. Here's an article about it.

http://www.linuxsecurity.com/feature...story-148.html

moonloader

who knows,maybe someone is trying to exploit you web server remotly!there are many exploits out there!don't forget to update and to use the latest version.you can test your web server easly with nessus or nicto or sara or satan and they will tell you a lot.if you know the attacker's ip then jus block it the ip range or ban it,there are many scripts for that on the web

good luck