SEARCH and OPTIONS entries in httpd log file
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > Web Servers on Unix and Linux > SEARCH and OPTIONS entries in httpd log file




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    SEARCH and OPTIONS entries in httpd log file  
LC's No-Spam Newsreading account


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
05-13-04 09:36 AM

I have found in the access.log file of my httpd server a number of
entries like this :

- - - [12/May/2004:15:54:04 +0200] "SEARCH /BħBħBħBħBħBħBħB ..." 400 192

i.e. SEARCH or OPTIONS requests, followed by a VERY LONG sequence of
binary characters (about 8000 bytes !). They are NOT identified by the
host who generated them.

What are they ? Some attempt of intrusion ?

(I noticed them because I send the log to myself by e-mail and have a
procmail rule which dispatches it to an HTML formatter, and the log did
never reach it because it was trapped before as possible spam as
containing "garbled characters").

Yesterday they seemed to occur in bursts in the afternoon (local time,
i.e. central European time)

--
----------------------------------------------------------------------
nospam@mi.iasf.cnr.it is a newsreading account used by more persons to
avoid unwanted spam. Any mail returning to this address will be rejected.
Users can disclose their e-mail address in the article if they wish so.




[ Post a follow-up to this message ]



    Re: SEARCH and OPTIONS entries in httpd log file  
Todd Knarr


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
05-17-04 05:44 PM

In comp.security.unix <Pine.OSF.4.30.0405130944480.2477-100000@poseidon.mi.iasf.cnr.it> LC's
 No-Spam Newsreading account <nospam@mi.iasf.cnr.it> wrote:
> I have found in the access.log file of my httpd server a number of
> entries like this :

> - - - [12/May/2004:15:54:04 +0200] "SEARCH /BħBħBħBħBħBħBħB ..." 400 192[/vbco
l]
[vbcol=seagreen]
> i.e. SEARCH or OPTIONS requests, followed by a VERY LONG sequence of
> binary characters (about 8000 bytes !). They are NOT identified by the
> host who generated them.

> What are they ? Some attempt of intrusion ?

My guess would be they're a virus or worm probing your system. OPTIONS
is a legitimate HTTP method, used when a client needs to find out what
request options are available for a particular URL so it can construct
the correct real request (the server should return a response with the
options spelled out but no content provided). SEARCH isn't one of the
HTTP methods I find in RFC2616, I don't think it's a standard method
at all but may be something specific to IIS seeing as that's a popular
target for web-server-infecting worms.

--
All I want out of the Universe is 10 minutes with the source code and
a quick recompile.
-- unknown




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 04:27 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register