[Gllug] Apache Logs

Dan Kolb dankolb at ox.compsoc.net
Tue Jan 15 17:47:26 UTC 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 01 Jan 1970 01:00 am, t.clarke wrote:
> I am hoping someone can throw some light on the following messages which
> are appearing horribly regularly in our Apache error_log, from various IP
> addresses (although the samples below are all within a few minutes and from
> the same IP address shown).
>
> I presume somebody is attempting to use some kind of 'backdoor; to get
> control of the machine upon which our apache server runs  (Linux, of course
> !!). I also presume/hope that no damage is being done, other than filing up
> our log-files !

Yes - it's some IIS directory traversal vulnerability. cmd.exe is the Windows 
NT command prompt. Have a dig through Bugtraq archives 
(www.securityfocus.com).

> Questions:
>
> 1) Is it realistic/possible to do a reverse look-up on the IP address and
> fire off a suitable email to the ISP/organisation that 'owns' it ??

Yes. Try "nslookup <ipaddress>". Then again, if they're running MS software, 
they may not be properly set up. And if you send them an email, they might 
accuse you of trying to h4x0r their systems. IIRC, it did happen to someone 
(can't remember where I read it).

> 2) Since most of the non-existent files seem to be within winnt and scripts
> sub-directories, can I get apache to do something like  re-direct to
> a suitable 'buggar-off' web page after a 60-second 'wait?

Probably, although if it's an automatic script, it wouldn't do a huge amount 
of good.

> 3) If the requests can be pinned down to a limited range of IP addresses,
> would it be realistic to simply DENY them within the filter rules ?

I don't see why not.

Dan
- -- 
dankolb at ox.compsoc.net  
 
- --I reserve the right to be completely wrong about any comments or
  opinions expressed; don't trust everything you read above--  

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPERrL5dDUnce+EgsEQIybwCgvzs3bUy1FSFM+FNmsaaD9eIgzcUAniMq
PU6qg0AItAQCXHXq+56b/ukZ
=ZQ6Y
-----END PGP SIGNATURE-----

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list