Linode.com Forum Forum Index Linode.com Forum
Linode Community Forums
 


Bizarre HTTP request

Click here to go to the original topic

 
       Linode.com Forum Forum Index -> Linux, Apache, Mysql and PHP (LAMP) Forum
Author Message
henry



Joined: 07 May 2007
Posts: 2
Posted: Fri Jun 29, 2007 3:38 pm    Post subject: Bizarre HTTP request  
I've just found the following in my Apache logs:
Code: 24.4.226.247 - - [29/Jun/2007:15:30:23 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 305 "-" "-" "-"
24.4.226.247 - - [29/Jun/2007:15:30:25 -0400] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x
04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04
H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H
\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H[truncated significantly]
Does anybody know what this request is supposed to achieve? It's several screens of these x04h and x90 characters, so DoS seems the most likely, yet it's a one-off thing.
Back to top  
pclissold



Joined: 24 Oct 2003
Posts: 471
Location: Netherlands
Posted: Fri Jun 29, 2007 5:35 pm    Post subject:  
It's an IIS attack - from either Nimda or Code Red - I don't remember which.
Back to top  
Ciaran



Joined: 13 Feb 2004
Posts: 140
Location: England, UK
Posted: Sat Jun 30, 2007 3:52 pm    Post subject:  
It's a scan for unpatched IIS machines. The requests are crafted such that IIS chokes on them and returns stuff it shouldn't, and it possibly executes code in the URL that it shouldn't, too.

Since you're using Apache, you can ignore those.
Back to top  
 
       Linode.com Forum Forum Index -> Linux, Apache, Mysql and PHP (LAMP) Forum
Page 1 of 1