Linode Forum :: Bizarre HTTP request

Linode Forum
Linode Community Forums

FAQ

Search

Members

Register

Login [ Anonymous ]

Bizarre HTTP request

Post new topic Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development

Previous topic | Next topic

Author

Message

henry

Post subject: Bizarre HTTP request

PostPosted: Fri Jun 29, 2007 4:38 pm

Offline

Newbie

Joined: Mon May 07, 2007 1:18 pm
Posts: 2

I've just found the following in my Apache logs:

Code:

24.4.226.247 - - [29/Jun/2007:15:30:23 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 305 "-" "-" "-"
24.4.226.247 - - [29/Jun/2007:15:30:25 -0400] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H[truncated significantly]

Does anybody know what this request is supposed to achieve? It's several screens of these x04h and x90 characters, so DoS seems the most likely, yet it's a one-off thing.

Top

Profile

Reply with quote

pclissold

Post subject:

PostPosted: Fri Jun 29, 2007 6:35 pm

Offline

Senior Member

Joined: Fri Oct 24, 2003 3:51 pm
Posts: 965
Location: Netherlands

It's an IIS attack - from either Nimda or Code Red - I don't remember which.

_________________
/ Peter

Top

Profile

Reply with quote

Ciaran

Post subject:

PostPosted: Sat Jun 30, 2007 4:52 pm

Offline

Senior Member

Joined: Fri Feb 13, 2004 11:30 am
Posts: 140
Location: England, UK

It's a scan for unpatched IIS machines. The requests are crafted such that IIS chokes on them and returns stuff it shouldn't, and it possibly executes code in the URL that it shouldn't, too.

Since you're using Apache, you can ignore those.

Top

Profile

Reply with quote

Post new topic Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

RSS