http SEARCH attack.

ggad · 发表于 2004-11-10 13:35:58

最进在 apache 的 error log 里看到有
[code:1]
[Wed Nov 10 12:27:04 2004] [error] [client 210.219.189.106] request failed: URI too long (longer than 8190)
[/code:1]
这样的日志.

然后再查看 access.log , 结果发现了带有 N 长的 SEARCH 请求.
[code:1]
210.219.189.106 - - [04/Apr/2004:01:25:54 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x\

...此处略去 n 行!

[/code:1]

这样的请求把日志撑得老大.

上 google 搜索了一下原来是针对 IIS WebDAV 的攻击, 详见:

http://edgeos.com/threats/details.php?id=11413
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

它对 apache 没有影响. 不过这样的日志也非常烦人.

首先把它清理了:

[code:1]
#> grep -v \"SEARCH access_log > access_log.new
#> mv access_log.new access_log
#> chown www-data.www-data access_log
[/code:1]

然后添加一些 rewirte 规则来去掉这些烦人的访问! 我们把它引导到 ms 老家去!

[code:1]
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>
[/code:1]
ps: 最后一条是针对这个 attack 的, 其它的大家都司空见惯了.

ok , 一切都好了.

参考贴: http://forums.macosxhints.com/showthread.php?t=22371

lues · 发表于 2004-11-10 13:56:03

ggad · 发表于 2004-11-12 13:36:31

顶上来!

		自动登录	找回密码
密码			注册