request failed: URI too long

I can't block this worm from being logged. I know it's something trying to get in through webdav, but since I don't have that right now all it does is clogging my access log.

I've searched the net for a solution how to block this in httpd.conf like I did to block code red and some other worms, but it just wont work. It's still getting logged and I'm starting to lean towards a bug in apache.

The logged line is:

xxx.xxx.xxx.xxx- - [06/Apr/2004:11:33:30 +0200] "SEARCH /\x90\x02\xb1\ ...

(and so on. 32797 bytes total being logged per request)

Since I'm already blocking Nimda and Code Red I tried to modify that to be able to block this new one.

I've tried this in httpd.conf:

SetEnvIfNoCase Request_URI "^search" DontLog
and
SetEnvIfNoCase Request_URI search DontLog
and
SetEnvIfNoCase Request_URI SEARCH DontLog
and every possible variant. More advanced regexp variants too, but nothing seems to help.

In the error log I see "request failed: URI too long". Is it so that since I get that error it never get cought by SetEnvIf Request_URI? How then can i catch it?

I have:
Apache/1.3.27 (Win32)
mod_setenvif.c

Anyone got this working? And how?

 

 

 

 

Top