On Thu, 12 Aug 2004 05:11:05 -0500 Tom Marble <tmarble at info9.net> wrote: > Josh Trutwin wrote: > >>RedirectMatch permanent ^/\x90 http://www.microsoft.com/ > > Does this one actually work? I just got another one of these > > buggers in my logs. > It seemed to work for me... (did not confirm with an actual probe, > however). Perhaps it's actually an apache problem. Read the bottom of this post http://www.webservertalk.com/message304809.html the author says that really long query strings get redirected to the bit bucket but always logged. I was playing around with iptables -m string to just drop this $hit at my network's entry point instead of even wasting Apache's time, but I'd need to rebuild my kernel, so that's tabled: http://www.securityfocus.com/infocus/1531 > > CustomLog /var/log/apache/access_log combined env=!exploit > > CustomLog /var/log/apache/ms_attack_log combined env=exploit > I like this trick... I'm now doing this to declutter my logs (and I > only log the ip address and result code, not the whole URI in the > exploit log). Yeah, it's kinda cool, I was thinking of other nifty things I could do, like create seperate internal logs for 192.168 traffic, etc. > I'm sure we are all frustrated with these various attacks, but > Chewie is right. This is some sort of virus probe and certainly is > not going to "honor" redirect requests. Even though it's fun to > make mod_rewrite do it's thing it really only contributes to the > background noise on the net. > > I've taken out the redirects, but kept the URI exploit > filter/logging. I think you can redirect to /dev/null or a non-existant .com too. Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list