[Dshield] WebDAV Web Log Signature

Johannes Ullrich jullrich at euclidian.com
Tue Mar 25 20:11:31 GMT 2003

  It looks like all exploits released so far are using the 'SEARCH'
method. In Apache, your log will look like: - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"

I skipped some of the \0x04H and \0x90 bytes.

If you are not using WebDAV, just searching for '"SEARCH' should 
work ok. There may be other ways to exploit this, so keep an
open mind and look in general for overly large lines in your 
web log.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list