Josh Trutwin wrote:
>>RedirectMatch permanent ^/\x90 http://www.microsoft.com/
> Does this one actually work?  I just got another one of these buggers in my logs.  
It seemed to work for me... (did not confirm with an actual probe, however).

> CustomLog /var/log/apache/access_log combined env=!exploit
> CustomLog /var/log/apache/ms_attack_log combined env=exploit 
I like this trick... I'm now doing this to declutter my logs (and I only
log the ip address and result code, not the whole URI in the exploit log).

Chewie wrote:
> As much as Microsoft may be the Big Bad Ugly(TM), simply dropping these
> requests might be a more appropriate action.

I'm sure we are all frustrated with these various attacks, but Chewie
is right.  This is some sort of virus probe and certainly is not going
to "honor" redirect requests.  Even though it's fun to make mod_rewrite
do it's thing it really only contributes to the background noise on the net.

I've taken out the redirects, but kept the URI exploit filter/logging.

Regards,

--Tom

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list