From owner-freebsd-questions@FreeBSD.ORG  Fri Jan 14 16:19:38 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D460116A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 14 Jan 2005 16:19:38 +0000 (GMT)
Received: from digitalarcadia.net
	(adsl-68-251-140-118.dsl.covlil.ameritech.net [68.251.140.118])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9133643D53
	for <freebsd-questions@freebsd.org>;
	Fri, 14 Jan 2005 16:19:38 +0000 (GMT)
	(envelope-from duo@digitalarcadia.net)
Received: by digitalarcadia.net (Postfix, from userid 501)
	id F32CD156C4D; Fri, 14 Jan 2005 10:22:06 -0600 (CST)
Received: from localhost (localhost [127.0.0.1])
	by digitalarcadia.net (Postfix) with ESMTP
	id C64C6156C48; Fri, 14 Jan 2005 10:22:06 -0600 (CST)
Date: Fri, 14 Jan 2005 10:22:06 -0600 (CST)
From: Duo <duo@digitalarcadia.net>
X-X-Sender: duo@valkyrie.local
To: "Colin J. Raven" <colin@kenmore.kozy-kabin.nl>
In-Reply-To: <20050114140441.G802@kenmore.kozy-kabin.nl>
Message-ID: <Pine.OSX.4.61.0501141019520.28528@valkyrie.local>
References: <20050114140441.G802@kenmore.kozy-kabin.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Odd (alarming) http log exerpt
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2005 16:19:38 -0000

On Fri, 14 Jan 2005, Colin J. Raven wrote:

> I noticed something extremely odd this morning in my http access log.
> There's the usual activity, then suddenly this (about a hundred lines
> are snipped)

Yeah, someone is trying a M$ DAV exploit. I get these alot, along with 
nimda attempts.

>
>  Is there anything within...say httpd.conf..that I could do to prevent
> this..or curtail it before it grows to such an enormous size.

Why, yes there is! For the low low price of FREE, here is something you 
can do for fun and giggles.

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>

This will redirect these lovely attacks back to Microsoft, the bearers of 
these fine gifts in the first place. It's my fun way of giving back to 
them, for all they have given to me...

Wasted diskspace from engorged logfiles, filled with this crap. =)

-- 
Duo