Re: possible cracking attempt

Sun, 01 Apr 2007 14:48:40 -0700 

On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote:

I just installed OpenBSD on my server in early March 2007. I am
running an Apache web server out of my house. I am tracking 4.0 STABLE
which I updated the day after the latest security advisory. I recently
noticed some peculiar entries in my Apache error and access logs.
u
From /var/www/logs/error_log:

[Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does
not exist: /htdocs/Provy_OK.html
[Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/thisdoesnotexistahaha.php
[Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/cmd.php
[Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/Cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/portal/cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/portal/cmd.php
[Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/stats/cmd.php
[Sun Apr  1 00:11:32 2007] [error] [client 212.31.237.145] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)

From /var/www/logs/access_log:

211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET
http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html
HTTP/1.1"
 404 219 "-" "-"
195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET
/thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Win
dows 98)"



I have not noticed any weirdness in any other logs files. What can I
do to stop this from happening? Thanks in advance.


You fundamentally can't stop it, based on the HTTP model. You could
throw in some hacks like searching for suspiciousness like this and
adding blocks to those addresses, but that's generally a bad idea
because of all the endusers on DHCP.
Just ignore it. So long as your system is actually secure you have
nothing to worry about (except DDoS but there's no way to prevent that
either).

-Nick

Reply via email to