Results 1 to 4 of 4
  1. #1

    Can't block this worm from being logged

    I know it's something trying to get in through webdav, but since I don't have that right now all it does is clogging my access log.

    I've searched the net for a solution how to block this in httpd.conf like I did to block code red and some other worms, but it just wont work. It's still getting logged and I'm starting to lean towards a bug in apache.

    The logged line is: - [06/Apr/2004:11:33:30 +0200] "SEARCH /\x90\x02\xb1\ ...

    (and so on. 32797 bytes total being logged per request)

    Since I'm already blocking Nimda and Code Red I tried to modify that to be able to block this new one.

    I've tried this in httpd.conf:

    SetEnvIfNoCase Request_URI "^search" DontLog
    SetEnvIfNoCase Request_URI search DontLog
    SetEnvIfNoCase Request_URI SEARCH DontLog
    and every possible variant. More advanced regexp variants too, but nothing seems to help.

    In the error log I see "request failed: URI too long". Is it so that since I get that error it never get cought by SetEnvIf Request_URI? How then can i catch it?

    I have:
    Apache/1.3.27 (Win32)

    Anyone got this working? And how?
      0 Not allowed!

  2. #2
    Like us on Facebook to qualify for discounts!
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |
      0 Not allowed!

  3. #3
    Because I've been sitting with this for a week now and I can't find a single solution when searching the web (though I find many with the same problem) and so far none in the forums I've tried either. A bit frustrating
      0 Not allowed!

  4. #4
    Join Date
    Jul 2001
    Then you shouldn't repost as no point to have two same topic/thread thus closing it.
      0 Not allowed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts