Re: SEARCH and OPTIONS entries in httpd log file

From: Todd Knarr (tknarr_at_silverglass.org)
Date: 05/17/04 

Date: Mon, 17 May 2004 16:54:09 GMT

In comp.security.unix <Pine.OSF.4.30.0405130944480.2477-100000@poseidon.mi.iasf.cnr.it> LC's No-Spam Newsreading account <nospam@mi.iasf.cnr.it> wrote:
> I have found in the access.log file of my httpd server a number of
> entries like this :

> - - - [12/May/2004:15:54:04 +0200] "SEARCH /BħBħBħBħBħBħBħB ..." 400 192

> i.e. SEARCH or OPTIONS requests, followed by a VERY LONG sequence of
> binary characters (about 8000 bytes !). They are NOT identified by the
> host who generated them.

> What are they ? Some attempt of intrusion ?

My guess would be they're a virus or worm probing your system. OPTIONS
is a legitimate HTTP method, used when a client needs to find out what
request options are available for a particular URL so it can construct
the correct real request (the server should return a response with the
options spelled out but no content provided). SEARCH isn't one of the
HTTP methods I find in RFC2616, I don't think it's a standard method
at all but may be something specific to IIS seeing as that's a popular
target for web-server-infecting worms. 

-- 
All I want out of the Universe is 10 minutes with the source code and
a quick recompile.
                                -- unknown