httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Holthaus - Orange XL" <i...@orangexl.com>
Subject Re: [users@httpd] Hacker?
Date Wed, 04 Dec 2002 16:18:03 GMT
Why block favicon.ico??? This has nothing to do with worms, virusses and
script kiddies...

----- Original Message -----
From: "David Tonhofer" <d.tonhofer@m-plify.com>
To: <users@httpd.apache.org>
Sent: Wednesday, December 04, 2002 3:27 PM
Subject: Re: [users@httpd] Hacker?


> Yes, actually it's a scan made by a worm. This only affects
> Microsoft IIS, so no worry.
>
> Btw, here's a set of instructions that might be considered
> for inclusion into httpd.conf. It sends a HTTP 'GONE' return
> code if someone requests the said file, so there is less
> crap in the error log:
>
> # For worms (Code Red etc.) and script kiddies
>
> Redirect gone /scripts
> Redirect gone /MSADC
> Redirect gone /c
> Redirect gone /d
> Redirect gone /_vti_bin
> Redirect gone /_mem_bin
> Redirect gone /msadc
> Redirect gone /favicon.ico
> Redirect gone /default.ida
> Redirect gone /sumthin
> Redirect gone /galaxy_15592.15938
> Redirect gone /NULL.printer
> Redirect gone /NULL.ida
> Redirect gone /NULL.idq
>
>
> --On Wednesday, December 04, 2002 8:11 PM -0600 "H. Carter Harris"
> <carter-lists@technettn.net> wrote:
>
> > I have a test apache system where I am trying to learn how to use it.  I
> > got the access_log file working and I noticed the following entries in
> > the log:
> >
> > 66.137.7.57 - - [02/Dec/2002:19:49:26 -0500] "GET
> > /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> > 61.56.232.58 - - [02/Dec/2002:19:49:53 -0500] "HEAD / HTTP/1.0" 404 0
> > 208.47.206.2 - - [02/Dec/2002:22:01:40 -0500] "GET
> >
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\c
> > md. exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> > 207.198.31.238 - - [03/Dec/2002:00:15:16 -0500] "GET
> >
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\c
> > md. exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> > 195.92.95.61 - - [03/Dec/2002:05:16:21 -0500] "HEAD
> > /cobalt-images/welcome2.gif HTTP/1.0" 404 0
> > 202.62.83.82 - - [03/Dec/2002:10:25:49 -0500] "HEAD / HTTP/1.0" 404 0
> > 6
> >
> > This installation is on a Mandrake Linux box, not NT.  Is someone trying
> > to hack into the system?
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message