It's the IIS WebDAV exploit:

[edgeos.com...]
[microsoft.com...]

If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP!

Thanks!

I am safe with *nix.

RoseMarie

what about apache on winxp without IIS?
What should I do.
It's annoying because it takes ages for my acess.log to open... any help?thanks in advance

sorry it was a stupid question. just downloaded the patch

Apache server here also. I have been keeping an eye on this interesting WebDAV exploit. It's seems that the Exploit hitting our servers are showing an interesting pattern that has stirred our interest. I am only posting the first portion of log, due to the extensive length of the repeated request. Found an good pdf doc on this at [home.comcast.net...]
65.60.XXX.78 - - [08/Apr/2004:23:46:07 -0400] "SEARCH /\x90

[edited by: webdiversity at 5:25 pm (utc) on May 28, 2004]
[edit reason] URL's snipped [/edit]

I have a new website (apache) that's also being hit by the long search request. I'm also seeing a bizarre repetition of this user agent: "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" requesting just the index page and no images or css every few minutes. Is it related? The ip's are from all over the world and it never sends a referrer. I'm not too worried about the search requests but this 5.5 spoofer is sucking down some bandwidth. Does anyone know what it is or how to stop it -- I'm scared of banning the useragent.

log excerpt:[code]
211.162.XXX.189 - - [11/Apr/2004:07:58:33 -0600] "GET / HTTP/1.1" 200 1469 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"

Thanks,
Adam

[edited by: webdiversity at 5:26 pm (utc) on May 28, 2004]
[edit reason] URL's snipped [/edit]

I have two very similar websites, on the same server with different ips located in London. One website has been up for almost a year and never had any attack. A few weeks ago I registered a german domain and I had these attacks before I even loaded my page.

In addition to your logs I have also
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
"HEAD / HTTP/1.0" 200 0
"CONNECT 1.3.3.7:1337 HTTP/1.0" 200 10783
"get /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" 501 -
"GET [hpcgi1.nifty.com...] HTTP/1.1" 404 300

does anybody know if these attacks are related?

Thanks, Marek

[edited by: webdiversity at 12:36 pm (utc) on May 19, 2004]
[edit reason] Specific URL's removed [/edit]

Hi mpalme,

No, they are not related. The scan you had was to check if your server was vulnerable to the unicode exploit. Someone trying to deface your site.

Thanks macguru,

can I see in the logs if the attack was successfull? (I am running Apache on SuSe)

>>I am running Apache on SuSe

Dont worry then, it's IIS vulnerabilities. Most of them are.

During the last 4 years, only one client of mine had his site defaced on *NIX server.
His host was running an older kernel.

so i was checking my log files this evening and found this absolutely crazy long line, it started like this: "216.63.XXX.242 - - [27/May/2004:11:55:01 -0600] "SEARCH/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\....."

i had no idea what it was so i popped it into my browser hoping it'd take me somewhere, and it took me to this forum. i didn't do a search or anything, just put it in the location bar and here i found myself. i had to get register for the site to see the post that it was in, and here i am.

i read what the rest of you had to say about it, and after trying webalizer (and having it get a weirdo error) i think i've been hit by whatever hit you guys.

my problem is that i don't really understand what's going on so i don't know if it's a problem or not.

is this just another spider?

i've got nothing on my site that anyone would wanna hack into or play around with.

any ideas or comments would be appreciated.
=)

[edited by: webdiversity at 5:23 pm (utc) on May 28, 2004]
[edit reason] Specific URL snipped [/edit]