httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Diehl <tdi...@rogueind.com>
Subject [users@httpd] Re: stopping hackers
Date Tue, 01 Jul 2003 14:59:55 GMT
On Tue, 1 Jul 2003, Sam Carleton wrote:

> I discovered my apache web server was down this morning.  When I
> looked at the error log, I discover this:
> 
> 
> [Mon Jun 30 23:32:56 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/MSADC/root.exe
> [Mon Jun 30 23:33:00 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/c/winnt/system32/cmd.exe
> [Mon Jun 30 23:33:04 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/d/winnt/system32/cmd.exe
> [Mon Jun 30 23:33:05 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:07 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:09 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:10 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:12 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..Á../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:15 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..À¯../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:19 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..Áœ../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:30 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:32 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%2f../winnt/system32/cmd.exe
> [Mon Jun 30 23:58:30 2003] [error] [client 216.39.50.54] File does not exist: /usr/local/apache/htdocs/robots.txt
> [Tue Jul  1 00:00:02 2003] [warn] child process 8197 still did not exit, sending a SIGTERM
> [Tue Jul  1 00:00:06 2003] [error] child process 8197 still did not exit, sending a SIGKILL
> [Tue Jul  1 00:00:06 2003] [notice] caught SIGTERM, shutting down
> 
> My two qestions are:
> 
> 1: what is the whole child process 8197 about?

Not sure.

> 2: How should I configure Apache at to not allow this type of an
> attack?

These are winbloze viruses like nimda and code red trying to exploite your
M$ IIS server. Since you do not appear to have one of them you just get the
error that the files are not there. Not much you can do about short of blocking
every windoze machine in the world at the firewall. Short of that and if you
have a lot of time on your hands you could start notifying the owners of the
machines that they are infected.

HTH,

-- 
......Tom		Registered Linux User #14522	http://counter.li.org
tdiehl@rogueind.com	My current SpamTrap ------->	mtd123@rogueind.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message