[Dshield] WebDAV Web Log Signature

John Hardin johnh at aproposretail.com
Tue Mar 25 23:52:08 GMT 2003


On Tue, 2003-03-25 at 12:11, Johannes Ullrich wrote:
> 
>   It looks like all exploits released so far are using the 'SEARCH'
> method. In Apache, your log will look like:
> 
> 10.1.0.132 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\
> ....
> \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"
> 
> I skipped some of the \0x04H and \0x90 bytes.
> 
> If you are not using WebDAV, just searching for '"SEARCH' should 
> work ok. There may be other ways to exploit this, so keep an
> open mind and look in general for overly large lines in your 
> web log.

...or hex bytes.

/"SEARCH .*(\\x[0-9A-Fa-f][0-9A-Fa-f][Hh]?){50,}/  perhaps?

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 58 days until The Matrix Reloaded



More information about the list mailing list