httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Tonhofer <d.tonho...@m-plify.com>
Subject Re: [users@httpd] Hacker?
Date Wed, 04 Dec 2002 14:27:13 GMT
Yes, actually it's a scan made by a worm. This only affects
Microsoft IIS, so no worry.

Btw, here's a set of instructions that might be considered
for inclusion into httpd.conf. It sends a HTTP 'GONE' return
code if someone requests the said file, so there is less
crap in the error log:

# For worms (Code Red etc.) and script kiddies

Redirect gone /scripts
Redirect gone /MSADC
Redirect gone /c
Redirect gone /d
Redirect gone /_vti_bin
Redirect gone /_mem_bin
Redirect gone /msadc
Redirect gone /favicon.ico
Redirect gone /default.ida
Redirect gone /sumthin
Redirect gone /galaxy_15592.15938
Redirect gone /NULL.printer
Redirect gone /NULL.ida
Redirect gone /NULL.idq


--On Wednesday, December 04, 2002 8:11 PM -0600 "H. Carter Harris" 
<carter-lists@technettn.net> wrote:

> I have a test apache system where I am trying to learn how to use it.  I
> got the access_log file working and I noticed the following entries in
> the log:
>
> 66.137.7.57 - - [02/Dec/2002:19:49:26 -0500] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 61.56.232.58 - - [02/Dec/2002:19:49:53 -0500] "HEAD / HTTP/1.0" 404 0
> 208.47.206.2 - - [02/Dec/2002:22:01:40 -0500] "GET
> /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\c
> md. exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> 207.198.31.238 - - [03/Dec/2002:00:15:16 -0500] "GET
> /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\c
> md. exe+c:\inetpub\scripts\script.exe HTTP/1.1" 404 246
> 195.92.95.61 - - [03/Dec/2002:05:16:21 -0500] "HEAD
> /cobalt-images/welcome2.gif HTTP/1.0" 404 0
> 202.62.83.82 - - [03/Dec/2002:10:25:49 -0500] "HEAD / HTTP/1.0" 404 0
> 6
>
> This installation is on a Mandrake Linux box, not NT.  Is someone trying
> to hack into the system?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message