[Sheflug] w0rm/Hax0r Attack

[José Luis Gómez Dans <j.l.gomez-dans [at] xxxxxxxxxxxxxxx>]

Hi all,
    I keep on seeing these things come up in my webserver's logs:
illegally-used-at.fsu - - [02/Apr/2004:11:04:15 +0100] "SEARCH /\x90
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02[loads more hex codes snipped]

    The ip address changes, but it looks quite dodgy, and the whole
thing looks like a buffer overflow exploit. I run a recent version of
Apache, suitably patched, a recent kernel, and I think I am safe (R)
(TM) :-). 

    A search on bugtrack et al. lists this as a IIS WebDAV bug (would
you believe it? :D). However, it is having an impact on my server, as
the requests (and I get loads of them) are filling the HD with useless
logs! Any clues of how I can block this rubbish?  I still want to log
other accesses.

Cheers,
José
-- 
José L Gómez Dans			
Tel: +44 114 222 5582			Radar & Communications Group
FAX; +44 870 132 2990			Department of Electronic Engineering
					University of Sheffield UK
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.