You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Jackson <rj...@mcoe.org> on 2002/07/17 22:55:49 UTC
Odd log files - NOT CodeRed or Nimda
Hi there,
I've looked through the web in general, Apache FAQs and this group archive
but haven't found an answer. My apologies if I've overlooked where this has
been discussed before. :)
Anyway, in an older (Feb '02) Slackware Linux / Apache 1.3.20 log files I'm
seeing these entries coming through in groups of a few dozen or so, a few
times a week:
access_log :
127.0.0.1 - - [17/Jul/2002:11:58:21 -0700] "POST
/a/redir?inttop-let=usingssl HTTP/1.0" 404 288
error_log :
[Wed Jul 17 11:58:21 2002] [error] [client 127.0.0.1] File does not exist:
/var/www/htdocs/a/redir
I'm not an apache expert (obviously) but it looks like something on the
localhost is trying to post to a non-existent redirect URL on the localhost.
Can anyone clue me in as to what might do that? Or is it possibly some kind
of attack, looking like it's coming from the localhost but coming from
somewhere else?
There's nothing in the system logs showing up at the times these entries are
in the apache logs.
The machine's main role is a proxy server (running squid2.4.s3 - nothing in
the squid logs at the times these odd entries are coming through, either),
but it does have basic daemons running and a few users with direct login
accounts.
Ideas?
Thanks in advance..
rj
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Odd log files - NOT CodeRed or Nimda
Posted by Jeff Beard <je...@cyberxape.com>.
Interesting. Have you done an audit of the file system to see if there's
any stuff you don't recognize? Have you been watching for the process
that issues the request?
Here's an idea, write a program that dumps out the process table, runs
netstat -na and call it /a/redir. Maybe you can catch that bugger running.
--Jeff
Robert Jackson wrote:
> Hi there,
>
> I've looked through the web in general, Apache FAQs and this group archive
> but haven't found an answer. My apologies if I've overlooked where this has
> been discussed before. :)
>
> Anyway, in an older (Feb '02) Slackware Linux / Apache 1.3.20 log files I'm
> seeing these entries coming through in groups of a few dozen or so, a few
> times a week:
>
> access_log :
> 127.0.0.1 - - [17/Jul/2002:11:58:21 -0700] "POST
> /a/redir?inttop-let=usingssl HTTP/1.0" 404 288
>
> error_log :
> [Wed Jul 17 11:58:21 2002] [error] [client 127.0.0.1] File does not exist:
> /var/www/htdocs/a/redir
>
> I'm not an apache expert (obviously) but it looks like something on the
> localhost is trying to post to a non-existent redirect URL on the localhost.
> Can anyone clue me in as to what might do that? Or is it possibly some kind
> of attack, looking like it's coming from the localhost but coming from
> somewhere else?
>
> There's nothing in the system logs showing up at the times these entries are
> in the apache logs.
>
> The machine's main role is a proxy server (running squid2.4.s3 - nothing in
> the squid logs at the times these odd entries are coming through, either),
> but it does have basic daemons running and a few users with direct login
> accounts.
>
> Ideas?
>
> Thanks in advance..
>
> rj
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org