LogWatch
Giovanni Riganti
admin.linux at eco.uninsubria.it
Wed Jul 21 09:35:53 UTC 2004
Alle 11:23, mercoledì 21 luglio 2004, John Morrison ha scritto:
> Hi,
> Looking at the root user mail I noticed the following appears frequently
> in the logfiles:
>
> --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
> 81.51.104.14
> 81.10.211.182
>
> A total of 2 unidentified 'other' records logged
> GET /sumthin HTTP/1.0 with response code(s) 404
> SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
>b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
>02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
>b1\x
>
> The 'SEARCH' line goes on and on for pages (only shown a portion of it
> for brevity). I have never seen this before and would like to know what
> is happening and should i block the sites that the probe comes from. The
> web server is only for my personal development.
it's the IIS WebDAV exploit
http://www.microsoft.com/technet/security/bulletin/ms03-007.aspx
no problem with apache on *nix.
Gio
--
Fedora Core 1 @ 11:35:24 up 54 days, 20:22, 3 users
More information about the users
mailing list