LogWatch

[Giovanni Riganti]

Alle 11:23, mercoledì 21 luglio 2004, John Morrison ha scritto:
> Hi,
> Looking at the root user mail I noticed the following appears frequently
> in the logfiles:
>
>  --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
>   81.51.104.14
>   81.10.211.182
>
> A total of 2 unidentified 'other' records logged
>   GET /sumthin HTTP/1.0 with response code(s) 404
>   SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
>b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
>02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
>b1\x
>
> The 'SEARCH' line goes on and on for pages (only shown a portion of it
> for brevity). I have never seen this before and would like to know what
> is happening and should i block the sites that the probe comes from. The
> web server is only for my personal development.

it's the IIS WebDAV exploit 
http://www.microsoft.com/technet/security/bulletin/ms03-007.aspx

no problem with apache on *nix.

Gio



-- 
Fedora Core 1 @ 11:35:24  up 54 days, 20:22,  3 users