From owner-freebsd-questions@FreeBSD.ORG Sat Mar 27 13:51:12 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5310116A4CE for ; Sat, 27 Mar 2004 13:51:12 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0858B43D41 for ; Sat, 27 Mar 2004 13:51:12 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i2RLoumr093978; Sat, 27 Mar 2004 15:50:56 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040327155053.01f471b0@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 27 Mar 2004 15:50:53 -0600 To: cpghost@cordula.ws From: "Jack L. Stone" In-Reply-To: <20040327192810.94D4B40811@fw.farid-hajji.net> References: <3.0.5.32.20040327092812.01f49a10@10.0.0.15> <3.0.5.32.20040327092812.01f49a10@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.6 required=4.5 tests=AWL,MY_OBFUX autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: freebsd-questions@freebsd.org Subject: Re: Very long URL with malice intended X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2004 21:51:12 -0000 At 08:28 PM 3.27.2004 +0100, Cordula's Web wrote: >> Within the past couple of weeks, the Apache logs have shown a new type of >> intrusion -- a very, very long URL request -- that finally receives a error >> 414. I don't know the purpose of this one, but doesn't appear >> well-intended. It comes late at night and from different IPs. One request >> even used one of my own IPs. So, the firewall won't help -- nor server deny. >> >> My question is what syntax can I add, if any, to my httpd.conf to redirect >> such requests..?? >> >> Here's a very small (about 1-5%) snippet of the nasty URL: >> >> 65.35.186.74 - - [26/Mar/2004:19:01:04 -0600] "SEARCH >> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb >> 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 >> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 .... and >> on and on.... > >Are only SEARCH requests affected, or GET as well? > The ones I've seen have all been SEARCH.... Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com