You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Peter Horn <pe...@bigpond.com> on 2010/08/19 03:12:55 UTC
[users@httpd] Re: client sent HTTP/1.1 request without hostname (see RFC2616 section
14.23): /w00tw00t.at.ISC.SANS.test0:)
On 06:59, Norman Khine wrote:
> i get these in my
>
> # tail -f /var/log/apache2/error_log
>
> [Tue Aug 17 15:13:00 2010] [notice] Apache/2.2.15 (Unix)
> mod_ssl/2.2.15 OpenSSL/0.9.8o configured -- resuming normal operations
> [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
> [Tue Aug 17 15:16:26 2010] [error] [client 89.19.18.114] client sent
> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
> /w00tw00t.at.ISC.SANS.DFind:)
> [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
> [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does
> not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f
> [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does
> not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f
> [Tue Aug 17 15:20:30 2010] [error] [client 203.127.11.214] client sent
> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
> /w00tw00t.at.ISC.SANS.test0:)
> [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
>
>
> from the IP addresses i see they originate from turkey, singapore and
> from users from within ovh.com this is my host.
>
> does this mean that my server is being probed?
>
> thanks
>
>
Hi Norman,
Yes, the w00tw00t is a good sign of probing. It is one of many that you
will get to know (but probably not love!) if you watch your logs. They
are looking for ways to compromise your server for whatever nefarious
purposes. I suggest you implement a default name virtual host that
rejects all requests. That will at least stop those that are just
scanning IP addresses looking for responses on port 80. (No prober has
yet found my server by name, though about 60% of my total traffic is
IP-addressed probes.)
Regards,
Peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org