I can't block this worm from being logged. I know it's something trying to get in through webdav, but since I don't have that right now all it does is clogging my access log.
I've searched the net for a solution how to block this in httpd.conf like I did to block code red and some other worms, but it just wont work. It's still getting logged and I'm starting to lean towards a bug in apache.
(and so on. 32797 bytes total being logged per request)
Since I'm already blocking Nimda and Code Red I tried to modify that to be able to block this new one.
I've tried this in httpd.conf:
SetEnvIfNoCase Request_URI "^search" DontLog
SetEnvIfNoCase Request_URI search DontLog
SetEnvIfNoCase Request_URI SEARCH DontLog
and every possible variant. More advanced regexp variants too, but nothing seems to help.
In the error log I see "request failed: URI too long". Is it so that since I get that error it never get cought by SetEnvIf Request_URI? How then can i catch it?
In the above code, all you are doing is setting an env variable
'DontLog' for each of these. Everything is still being logged.
You can try adding to your custom log entry in httpd.conf
if you have one, like:
CustomLog logs/access_log combined env=!DontLog
which should then stop these requests being logged