SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Recently Ive been having some consistently annoying logs on my apache server.
Although it doesnt really compromised my system in terms of breaking in,
however its really getting annoying and i think that the attacker is both wasting
his/her and my bandwidth...
here is a copy of the log... (I CHANGED THE IP OF COURSE :-))
253.1a1.aaa.186 - - [26/Apr/2004:18:51:45 +0800] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 340 "-" "-"
--------------------- end of log -----------------------
its been hogging my logs and its occuring at a constant rate...
Some questions that i have..
1) Is anyone familiar with this attack?
2) Does apache have a defense mechanism for this?
3) what are the ways to defend against this annoying attacks?
im thinking of putting up a string matching .. "x02\xb1" to my iptables
firewall?
I would appreciate all comments, suggestions, and information...
Thanks in advance!
I have seen this same log message coming in my server logs for months, and it is the Welchia webdav exploit for Windows servers. The normal iptables does not have a way to block this, since it only looks at the IP headers, and not at the payload of the packet. There is a patched version of iptables called patch-o-matic that can filter on the TCP data. You have to re-compile your kernel with the new code, so you have to know what you are doing to apply it. Here's an article about it.
Originally posted by dm0nkz Recently Ive been having some consistently annoying logs on my apache server.
Although it doesnt really compromised my system in terms of breaking in,
however its really getting annoying and i think that the attacker is both wasting
his/her and my bandwidth...
here is a copy of the log... (I CHANGED THE IP OF COURSE :-))
253.1a1.aaa.186 - - [26/Apr/2004:18:51:45 +0800] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 340 "-" "-"
--------------------- end of log -----------------------
its been hogging my logs and its occuring at a constant rate...
Some questions that i have..
1) Is anyone familiar with this attack?
2) Does apache have a defense mechanism for this?
3) what are the ways to defend against this annoying attacks?
im thinking of putting up a string matching .. "x02\xb1" to my iptables
firewall?
I would appreciate all comments, suggestions, and information...
Thanks in advance!
God Bless.
dm0nkz
who knows,maybe someone is trying to exploit you web server remotly!there are many exploits out there!don't forget to update and to use the latest version.you can test your web server easly with nessus or nicto or sara or satan and they will tell you a lot.if you know the attacker's ip then jus block it the ip range or ban it,there are many scripts for that on the web
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.