[NTLUG:Discuss] HTTPD access_log
Kevin Hulse
hulse_kevin at yahoo.com
Wed Jul 14 11:08:51 CDT 2004
--- Jack Snodgrass <jack at jacksnodgrass.com> wrote:
> On Wed, 2004-07-14 at 09:01, David Ross wrote:
> > Good Day,
> > Hoefully someone can tell me what this is and how
> to fix it.
> > $tail - f /var/log/httpd/access_log
> > 66.205.132.183 - - [02/Jul/2004:20:03:40 -0500]
> > "SEARCH /\x90\x02\xb1\x02\xb1\x0
> > <snipped>
> > My web site is very static (default actually) with
> no search function. I
> > gather this to be an exploit due to the NOP
> code,but I really don't know.
>
> This is hacker trying to exploit a MS Windows WEBDAV
> Exploit.
If you install snort it will give you a very nice
breakdown of everyone that's trying to exploit
your system and how. I was recieving a lot of
traffic from mssql worms until I installed snort,
saw the intrusion report and blocked the relevant
port on my firewall.
> SEARCH isn't a default method that Apache
> understands, so you
> don't have anything to worry about. Normally... you
> can have your
> apache logs filter these scans / hack attempts to
> another log,
> but since this isn't a GET/POST... but a SEARCH, you
> can't filter
> these. ( I've tried... if someone figured out how,
> let me know )
I have a shell script that monitors my snort logs
periodically to look for new alerts and then add
the associated IP's to my local firewall rules.
More information about the Discuss
mailing list