Odd (alarming) http log exerpt

Duo duo at digitalarcadia.net
Fri Jan 14 08:19:38 PST 2005


On Fri, 14 Jan 2005, Colin J. Raven wrote:

> I noticed something extremely odd this morning in my http access log.
> There's the usual activity, then suddenly this (about a hundred lines
> are snipped)

Yeah, someone is trying a M$ DAV exploit. I get these alot, along with 
nimda attempts.

>
>  Is there anything within...say httpd.conf..that I could do to prevent
> this..or curtail it before it grows to such an enormous size.

Why, yes there is! For the low low price of FREE, here is something you 
can do for fun and giggles.

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>

This will redirect these lovely attacks back to Microsoft, the bearers of 
these fine gifts in the first place. It's my fun way of giving back to 
them, for all they have given to me...

Wasted diskspace from engorged logfiles, filled with this crap. =)

-- 
Duo


More information about the freebsd-questions mailing list