Im running apache (latest version) on redhat 9. I recently found the following in my access log and error log: {his ip} {date} error url too long {same ip} {date} SEARCH /x90/x80/x56/x46/x85... continues for a while. Should there be any of this in my logs? He shouldnt be putting this in for a url against my server. What can i do to stop this if its bad. Im not gonna look up his ip if its bad cause i can guarantee i wont hurt him. Lambo

It''s more likely a worm that someone is already infected with and it''s just trying to spread blindly. You''ll find lots of such events over time. If your Apache installation is up-to-date, there''s likely nothing to worry about. If you''re using server-side dynamic content programs (CGI, PHP, Perl, et cetera) or something utilizing such a system, make sure they''re safe too. Those are both things that should be done routinely anyway. Search Google with some of the exact path they tried to access for more information.

For the paranoid, things like mod_security can limit the URLs that Apache doesn''t outright ignore, if you''re interested.

There are a zillion copies of (mostly Windows) worms out there which attack HTTP sevrers at random.

If you run a HTTP server on port 80, it doesn''t matter what OS or server you run, you will see intrusion attempts from all these worms.

In every case, it''s totally pointless attempting to trace them, the owners of the machines are not attacking you deliberately. You should just reconfigure your IDS so it no longer takes notice of these attacks.

Mark

Thanks for the replies. If i run a web server on port 81 and change my dns to connect port 80 to 81 will this cut down on these attempts? Im not running anything like cgi or perl so i should be safe from that.
Lambo

It''s a WebDAV exploit. It attacks the IIS server on Windows systems from NT up to XP (but not Windows Server 2003).

Apache is immune, so you don''t need to worry. However, you should probably filter the messages out, partly because they''ll drown out useful messages, and partly because they can confuse programs that examine your server''s statistics.

quote:
If i run a web server on port 81 and change my dns to connect port 80 to 81 will this cut down on these attempts? Im not running anything like cgi or perl so i should be safe from that.

I don''t know what you mean here. DNS doesn''t map ports, and even if it did, then all hosts attempting to connect to port 80 would just connect to port 81 and nothing would be different.

No kind of CGI or server-side scripting should care what port your server is running on, anyway.