httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pete Nelson" <pete.nel...@ci.stpaul.mn.us>
Subject Re: Straneg access log entries - hacker??
Date Wed, 10 Apr 2002 13:17:06 GMT
Looks like nimda or code red virus.  Although Apache should stop these
requests from actually hitting the system files, I'm a big believer in
redundant methods of security.

Something similar to this should deny these requests - 

<LocationMatch /*/winnt/>
  Order allow,deny
  Deny from All
</LocationMatch>

Like I said, apache does a good job of stopping someone from ../../..
their way out of the DocumentRoot, but I still like to add a little
'just in case' security to my windows machine.

--
Pete Nelson, Web Developer
<pete.nelson@ci.stpaul.mn.us>
http://www.ci.stpaul.mn.us/

>>> danes@image.dk 04/10/02 08:01AM >>>
HI ALL! I downloaded Apache 1.3.22 for win2k and have just installed
it. 
I am a read newbie at this.

I just had a look at the access log and I noticed these entries that
cause me to worry a little:
80.62.91.126 - - [10/Apr/2002:13:27:35 +0200] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 288
80.62.91.126 - - [10/Apr/2002:13:27:43 +0200] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
80.62.91.126 - - [10/Apr/2002:13:27:50 +0200] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
80.62.91.126 - - [10/Apr/2002:13:27:57 +0200] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.62.91.126 - - [10/Apr/2002:13:28:05 +0200] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 329
80.62.91.126 - - [10/Apr/2002:13:28:12 +0200] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 329

A normal entry looks like this:
62.199.0.4 - - [10/Apr/2002:13:27:19 +0200] "GET /icons/blank.gif
HTTP/1.1" 200 148

Can anyone shed light on this?  It someone trying to hack into my
computer or is there some explaination for these entries?

REGARDS!
Dan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message