From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 31 07:31:37 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4BF0216A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Mar 2004 07:31:37 -0800 (PST)
Received: from hkisrv08.tw.fi (ccserver.teleware.fi [193.65.76.37])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4274643D2D
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Mar 2004 07:31:36 -0800 (PST)
	(envelope-from Toni.Heinonen@teleware.fi)
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 31 Mar 2004 18:32:53 +0300
Message-ID: <B36C365832C90E47A37F4FFCDDEFC46D3D6041@hkisrv08.tw.fi>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Very long URL with malice intended
thread-index: AcQXMqAy8nnsHfPVQrCO1lXx7sIrbQAAqfNA
From: "Toni Heinonen" <Toni.Heinonen@teleware.fi>
To: <freebsd-questions@freebsd.org>
Subject: RE: Very long URL with malice intended
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2004 15:31:37 -0000

> On Sat, 27 Mar 2004 15:50:53 -0600, Jack L. Stone wrote:
> >At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote:
> >>>Within the past couple of weeks, the Apache logs have shown a new
> >>>type of intrusion -- a very, very long URL request...
> >>>
> >>>My question is what syntax can I add, if any, to my httpd.conf to
> >>>redirect such requests..??
> >>>
> >>>65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH
> >>>/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\...
> >>
> >>Are only SEARCH requests affected, or GET as well?
>=20
> Hey all. A question from a heretofore unrevealed skulker :^>. Was this
> question ever answered off-list? My own box is getting hit quite often
> with these & I'm concerned that they might be causing harm. thks

Don't be concerned, those are probably worms looking for IIS holes or =
the like. Since you're running Apache you're not vulnerable.