[wplug] odd looking entries in httpd-access.log
Jonathan S. Billings
billings at negate.org
Mon Jun 12 10:06:05 EDT 2006
On Sat, 2006-06-10 at 17:02 -0400, Daniel McQuay wrote:
> 71.116.248.152 - - [04/Jun/2006:14:50:13 -0400] "SEARCH /\x90\xc9\xc9
> \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
> \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
> \xc9
> \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
> \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
> \xc9\xc9\xc9\xc9
As long as you aren't running MS IIS, you're safe. That's an exploit
against a WebDAV component of MS IIS
(http://www.sans.org/resources/malwarefaq/webdav-exploit.php).
(By the way, figuring this out was pretty trivial using google. I typed
in "apache logs SEARCH x90" and immediately found what I was looking
for.)
--
Jonathan S. Billings <billings at negate.org>
More information about the wplug
mailing list