From owner-freebsd-questions@FreeBSD.ORG Fri Jan 14 17:34:33 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0D8B16A4DC for ; Fri, 14 Jan 2005 17:34:33 +0000 (GMT) Received: from t-x.dignus.nl (t-x.dignus.nl [83.219.88.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40D1F43D48 for ; Fri, 14 Jan 2005 17:34:33 +0000 (GMT) (envelope-from colin@kenmore.kozy-kabin.nl) Received: from localhost (localhost.dignus.nl [127.0.0.1]) by t-x.dignus.nl (Safehouse) with ESMTP id 100DD2841F; Fri, 14 Jan 2005 18:34:49 +0100 (CET) Received: from kenmore.kozy-kabin.nl (cjr-home [62.251.72.148]) by t-x.dignus.nl (Safehouse) with ESMTP id 3041C287B1; Fri, 14 Jan 2005 17:32:39 +0100 (CET) Received: from kenmore.kozy-kabin.nl (localhost.kozy-kabin.nl [127.0.0.1]) by kenmore.kozy-kabin.nl (Postfix) with ESMTP id 811DF6230; Fri, 14 Jan 2005 17:32:22 +0100 (CET) Received: from localhost (colin@localhost)j0EGWI7W058874; Fri, 14 Jan 2005 17:32:22 +0100 (CET) (envelope-from colin@kenmore.kozy-kabin.nl) Date: Fri, 14 Jan 2005 17:32:15 +0100 From: "Colin J. Raven" To: Duo In-Reply-To: Message-ID: <20050114172221.S802@kenmore.kozy-kabin.nl> References: <20050114140441.G802@kenmore.kozy-kabin.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by RemSPAMd at ph230.plushosting.nl cc: FreeBSD Questions Subject: Re: Odd (alarming) http log exerpt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 17:34:33 -0000 On Jan 14 at 10:22, Duo suggested this hysterically funny remedy: > On Fri, 14 Jan 2005, Colin J. Raven wrote: > >> I noticed something extremely odd this morning in my http access log. >> There's the usual activity, then suddenly this (about a hundred lines >> are snipped) > > Yeah, someone is trying a M$ DAV exploit. I get these alot, along with nimda > attempts. > >> >> Is there anything within...say httpd.conf..that I could do to prevent >> this..or curtail it before it grows to such an enormous size. > > Why, yes there is! For the low low price of FREE, here is something you can > do for fun and giggles. > > > RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com > > > This will redirect these lovely attacks back to Microsoft, the bearers of > these fine gifts in the first place. It's my fun way of giving back to them, > for all they have given to me... Hallelujah! Give that man a cigar! I thought the FBI suggestion was incredibly neat, but this has a certain zen-like perfection to it. Woohoo....what an ace idea. > Wasted diskspace from engorged logfiles, filled with this crap. =) Errrr, yes indeed. My logfile from yesterday was an unbelieveable 2.2 MB. This is a home web server which (as was pointed out overnight) isn't exactly overworked. I was ever so slightly taken aback when I saw the filesize this morning. May your goats and camels enjoy long lives, and bear many offspring. Warm Regards & thanks, -Colin