Results 1 to 7 of 7
Thread: request failed: URI too long
Hybrid View
-
04-07-2004, 01:36 PM #1Newbie
- Join Date
- Apr 2004
- Posts
- 7
request failed: URI too long
I can't block this worm from being logged. I know it's something trying to get in through webdav, but since I don't have that right now all it does is clogging my access log.
I've searched the net for a solution how to block this in httpd.conf like I did to block code red and some other worms, but it just wont work. It's still getting logged and I'm starting to lean towards a bug in apache.
The logged line is:
xxx.xxx.xxx.xxx- - [06/Apr/2004:11:33:30 +0200] "SEARCH /\x90\x02\xb1\ ...
(and so on. 32797 bytes total being logged per request)
Since I'm already blocking Nimda and Code Red I tried to modify that to be able to block this new one.
I've tried this in httpd.conf:
SetEnvIfNoCase Request_URI "^search" DontLog
and
SetEnvIfNoCase Request_URI search DontLog
and
SetEnvIfNoCase Request_URI SEARCH DontLog
and every possible variant. More advanced regexp variants too, but nothing seems to help.
In the error log I see "request failed: URI too long". Is it so that since I get that error it never get cought by SetEnvIf Request_URI? How then can i catch it?
I have:
Apache/1.3.27 (Win32)
mod_setenvif.c
Anyone got this working? And how?
-
04-08-2004, 06:46 PM #2Web Hosting Evangelist
- Join Date
- Nov 2003
- Location
- Marylebone, London, UK
- Posts
- 530
In the above code, all you are doing is setting an env variable
'DontLog' for each of these. Everything is still being logged.
You can try adding to your custom log entry in httpd.conf
if you have one, like:
CustomLog logs/access_log combined env=!DontLog
which should then stop these requests being logged
-
04-08-2004, 07:04 PM #3Newbie
- Join Date
- Apr 2004
- Posts
- 7
That's what I got too. Forgot to add that line. It looks exactly like that, but it still fails.
I've started to think that since the error log says "request fails: URI too long" it actually never becomes an actual Request_URI and that's why nothing happens.
But if that's the case then how do I stop it? If I could filter out the error code it might work, but how do I do that? The error code seems to be 414.
-
04-08-2004, 08:26 PM #4Web Hosting Evangelist
- Join Date
- Nov 2003
- Location
- Marylebone, London, UK
- Posts
- 530
it is 414, maybe redirect them to yahoo ?
ErrorDocument 414 http://www.yahoo.com
not sure if it'll stop logging though
-
04-08-2004, 08:31 PM #5Web Hosting Evangelist
- Join Date
- Nov 2003
- Location
- Marylebone, London, UK
- Posts
- 530
only other option I can see is forcibly logging to /dev/null:
SetEnvIfNoCase Request_URI search DontLog
CustomLog "/dev/null" env=DontLog
in this order, also ensures you set the environment
before trying to log depending on its value
-
04-08-2004, 09:02 PM #6Newbie
- Join Date
- Apr 2004
- Posts
- 7
But I'm not sure that Request_URI contains anything when you get to that SetEnvIfNoCase since the "request failed". There should be a "Request_other" or something to catch those.
-
04-08-2004, 09:11 PM #7Newbie
- Join Date
- Apr 2004
- Posts
- 7
Originally posted by squirrelhost
it is 414, maybe redirect them to yahoo ?
ErrorDocument 414 http://www.yahoo.com
not sure if it'll stop logging though