Results 1 to 7 of 7
  1. #1

    request failed: URI too long

    I can't block this worm from being logged. I know it's something trying to get in through webdav, but since I don't have that right now all it does is clogging my access log.

    I've searched the net for a solution how to block this in httpd.conf like I did to block code red and some other worms, but it just wont work. It's still getting logged and I'm starting to lean towards a bug in apache.

    The logged line is:

    xxx.xxx.xxx.xxx- - [06/Apr/2004:11:33:30 +0200] "SEARCH /\x90\x02\xb1\ ...

    (and so on. 32797 bytes total being logged per request)

    Since I'm already blocking Nimda and Code Red I tried to modify that to be able to block this new one.

    I've tried this in httpd.conf:

    SetEnvIfNoCase Request_URI "^search" DontLog
    and
    SetEnvIfNoCase Request_URI search DontLog
    and
    SetEnvIfNoCase Request_URI SEARCH DontLog
    and every possible variant. More advanced regexp variants too, but nothing seems to help.

    In the error log I see "request failed: URI too long". Is it so that since I get that error it never get cought by SetEnvIf Request_URI? How then can i catch it?

    I have:
    Apache/1.3.27 (Win32)
    mod_setenvif.c

    Anyone got this working? And how?

  2. #2
    Join Date
    Nov 2003
    Location
    Marylebone, London, UK
    Posts
    526
    In the above code, all you are doing is setting an env variable
    'DontLog' for each of these. Everything is still being logged.
    You can try adding to your custom log entry in httpd.conf
    if you have one, like:

    CustomLog logs/access_log combined env=!DontLog

    which should then stop these requests being logged

  3. #3
    That's what I got too. Forgot to add that line. It looks exactly like that, but it still fails.

    I've started to think that since the error log says "request fails: URI too long" it actually never becomes an actual Request_URI and that's why nothing happens.

    But if that's the case then how do I stop it? If I could filter out the error code it might work, but how do I do that? The error code seems to be 414.

  4. #4
    Join Date
    Nov 2003
    Location
    Marylebone, London, UK
    Posts
    526
    it is 414, maybe redirect them to yahoo ?

    ErrorDocument 414 http://www.yahoo.com

    not sure if it'll stop logging though

  5. #5
    Join Date
    Nov 2003
    Location
    Marylebone, London, UK
    Posts
    526
    only other option I can see is forcibly logging to /dev/null:

    SetEnvIfNoCase Request_URI search DontLog
    CustomLog "/dev/null" env=DontLog

    in this order, also ensures you set the environment
    before trying to log depending on its value

  6. #6
    But I'm not sure that Request_URI contains anything when you get to that SetEnvIfNoCase since the "request failed". There should be a "Request_other" or something to catch those.

  7. #7
    Originally posted by squirrelhost
    it is 414, maybe redirect them to yahoo ?

    ErrorDocument 414 http://www.yahoo.com

    not sure if it'll stop logging though
    Or even better 127.0.0.1 if it's possible

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •