You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeremy Whitlock <jw...@starprecision.com> on 2003/07/24 18:40:03 UTC
[users@httpd] Server Access Log Understanding
Apache List,
Can someone help me understand my Server Access Logs.
This:
65.33.50.250 - - [23/Jul/2003:03:59:04 -0600] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
looks suspicious. Am I paranoid?
Jeremy Whitlock --- MCP/MCSA
IT Manager for Star Precision, Inc.
Phone: (970) 535-4795
Metro: (303) 926-0559
Fax: (970) 535-0780
Metro Fax: (303) 926-0559
http://www.starprecision.com
RE: [users@httpd] Server Access Log Understanding
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 24 Jul 2003, Jeremy Whitlock wrote:
> Joshua,
> Thanks again. What I meant by leeching is that people scan
> websites for files in the same directory as the website and download
> them. If I had a website:
>
> http://www.mysite.com
>
> and I had a file called "Jeremy.zip" in the same directory as
> the website files for the site, they can download them by using some
> software/method to see what's in the directory. Does that make sense?
Look at the DirectoryIndex directive and at the "Indexes" argument to the
Options directive.
By removing Indexes from all your Options directives in httpd.conf, you
should be able to prevent people from listing directories.
But note that if you store a file on a publicly accessible server, it is
almost inevitable that it will be discovered. For example, it can show up
in log files of proxy servers or in referer logs that end up on the web.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Server Access Log Understanding
Posted by Jeremy Whitlock <jw...@starprecision.com>.
Joshua,
Thanks again. What I meant by leeching is that people scan
websites for files in the same directory as the website and download
them. If I had a website:
http://www.mysite.com
and I had a file called "Jeremy.zip" in the same directory as
the website files for the site, they can download them by using some
software/method to see what's in the directory. Does that make sense?
Thanks, Jeremy
-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Thursday, July 24, 2003 10:59 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Server Access Log Understanding
On Thu, 24 Jul 2003, Jeremy Whitlock wrote:
> Joshua,
> I haven't done anything like that. I just hate to see that
> people are even trying I guess. I also see that people are "leeching"
> my files that I've put in one of the folders. Is there anyway to stop
> leeching? Thanks, Jeremy
If it gives you any consolation, you are not alone. This is not some
individual hacker picking on you, this is either:
1. A worm that is spreading on its own.
2. A hacker that is scanning huge portions of the internet for any
vulnerable server.
In general, these worms and hackers are targetting IIS, so there is very
little chance of an apache server being affected.
As far as "leeching", you need to define what you mean. If you mean
that
people are inlining your images into their own pages, you should look at
"Prevent image theft" under:
http://httpd.apache.org/docs-2.0/env.html#examples
> P.S. - How can I tell if someone were successful at trying to hack my
> machine? Is there any status code or such I can look for?
Well, a status code starting in 2 means that the request was successful.
But a successful request does not mean a successful hack (and the
contrary
applies as well, actually).
I don't think there is any magic formula for figuring out if you've been
hacked. That's why people make big bucks selling crappy intrusion
detection software.
One thing you can try is to extract a part of the request and type it
into
google to see what people are saying about it. Usually you can find out
what exploit is being used, and make sure you are not vulnerable to that
exploit.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Server Access Log Understanding
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 24 Jul 2003, Jeremy Whitlock wrote:
> Joshua,
> I haven't done anything like that. I just hate to see that
> people are even trying I guess. I also see that people are "leeching"
> my files that I've put in one of the folders. Is there anyway to stop
> leeching? Thanks, Jeremy
If it gives you any consolation, you are not alone. This is not some
individual hacker picking on you, this is either:
1. A worm that is spreading on its own.
2. A hacker that is scanning huge portions of the internet for any
vulnerable server.
In general, these worms and hackers are targetting IIS, so there is very
little chance of an apache server being affected.
As far as "leeching", you need to define what you mean. If you mean that
people are inlining your images into their own pages, you should look at
"Prevent image theft" under:
http://httpd.apache.org/docs-2.0/env.html#examples
> P.S. - How can I tell if someone were successful at trying to hack my
> machine? Is there any status code or such I can look for?
Well, a status code starting in 2 means that the request was successful.
But a successful request does not mean a successful hack (and the contrary
applies as well, actually).
I don't think there is any magic formula for figuring out if you've been
hacked. That's why people make big bucks selling crappy intrusion
detection software.
One thing you can try is to extract a part of the request and type it into
google to see what people are saying about it. Usually you can find out
what exploit is being used, and make sure you are not vulnerable to that
exploit.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Server Access Log Understanding
Posted by Jeremy Whitlock <jw...@starprecision.com>.
Joshua,
I haven't done anything like that. I just hate to see that
people are even trying I guess. I also see that people are "leeching"
my files that I've put in one of the folders. Is there anyway to stop
leeching? Thanks, Jeremy
P.S. - How can I tell if someone were successful at trying to hack my
machine? Is there any status code or such I can look for?
-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Thursday, July 24, 2003 10:47 AM
To: 'Apache'
Subject: Re: [users@httpd] Server Access Log Understanding
On Thu, 24 Jul 2003, Jeremy Whitlock wrote:
> Apache List,
> Can someone help me understand my Server Access Logs.
> This:
>
> 65.33.50.250 - - [23/Jul/2003:03:59:04 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
>
> looks suspicious. Am I paranoid?
It is suspicious. But note the "404" status code which means apache
returned "file not found". You are safe as long as you haven't done
anything REALLY stupid like setting
Alias /c c:/
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Server Access Log Understanding
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 24 Jul 2003, Jeremy Whitlock wrote:
> Apache List,
> Can someone help me understand my Server Access Logs.
> This:
>
> 65.33.50.250 - - [23/Jul/2003:03:59:04 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
>
> looks suspicious. Am I paranoid?
It is suspicious. But note the "404" status code which means apache
returned "file not found". You are safe as long as you haven't done
anything REALLY stupid like setting
Alias /c c:/
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org