|
Home > Archive > Web Servers on Unix and Linux > May 2004 > SEARCH and OPTIONS entries in httpd log file
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SEARCH and OPTIONS entries in httpd log file
|
|
| LC's No-Spam Newsreading account 2004-05-13, 4:36 am |
| I have found in the access.log file of my httpd server a number of
entries like this :
- - - [12/May/2004:15:54:04 +0200] "SEARCH /BħBħBħBħBħBħBħB ..." 400 192
i.e. SEARCH or OPTIONS requests, followed by a VERY LONG sequence of
binary characters (about 8000 bytes !). They are NOT identified by the
host who generated them.
What are they ? Some attempt of intrusion ?
(I noticed them because I send the log to myself by e-mail and have a
procmail rule which dispatches it to an HTML formatter, and the log did
never reach it because it was trapped before as possible spam as
containing "garbled characters").
Yesterday they seemed to occur in bursts in the afternoon (local time,
i.e. central European time)
--
----------------------------------------------------------------------
nospam@mi.iasf.cnr.it is a newsreading account used by more persons to
avoid unwanted spam. Any mail returning to this address will be rejected.
Users can disclose their e-mail address in the article if they wish so.
| |
| Todd Knarr 2004-05-17, 12:44 pm |
| In comp.security.unix <Pine.OSF.4.30.0405130944480.2477-100000@poseidon.mi.iasf.cnr.it> LC's No-Spam Newsreading account <nospam@mi.iasf.cnr.it> wrote:
> I have found in the access.log file of my httpd server a number of
> entries like this :
> - - - [12/May/2004:15:54:04 +0200] "SEARCH /BħBħBħBħBħBħBħB ..." 400 192
> i.e. SEARCH or OPTIONS requests, followed by a VERY LONG sequence of
> binary characters (about 8000 bytes !). They are NOT identified by the
> host who generated them.
> What are they ? Some attempt of intrusion ?
My guess would be they're a virus or worm probing your system. OPTIONS
is a legitimate HTTP method, used when a client needs to find out what
request options are available for a particular URL so it can construct
the correct real request (the server should return a response with the
options spelled out but no content provided). SEARCH isn't one of the
HTTP methods I find in RFC2616, I don't think it's a standard method
at all but may be something specific to IIS seeing as that's a popular
target for web-server-infecting worms.
--
All I want out of the Universe is 10 minutes with the source code and
a quick recompile.
-- unknown
|
|
|
|
|