Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
From: "Jeremy Whitlock" <jwhitlock@starprecision.com>
To: <users@httpd.apache.org>
Date: Thu, 24 Jul 2003 11:03:15 -0600
Organization: Star Precision, Inc.
Message-ID: <007901c35205$793dc030$e0c7c7c7@starprecision.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Importance: Normal
In-Reply-To: <Pine.WNT.4.55.0307241253110.1412@Poste3947.hec.ca>
Subject: RE: [users@httpd] Server Access Log Understanding

Joshua,
	Thanks again.  What I meant by leeching is that people scan
websites for files in the same directory as the website and download
them.  If I had a website:

http://www.mysite.com

	and I had a file called "Jeremy.zip" in the same directory as
the website files for the site, they can download them by using some
software/method to see what's in the directory.  Does that make sense?
Thanks, Jeremy

-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca] 
Sent: Thursday, July 24, 2003 10:59 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Server Access Log Understanding


On Thu, 24 Jul 2003, Jeremy Whitlock wrote:

> Joshua,
> 	I haven't done anything like that.  I just hate to see that
> people are even trying I guess.  I also see that people are "leeching"
> my files that I've put in one of the folders.  Is there anyway to stop
> leeching?  Thanks, Jeremy

If it gives you any consolation, you are not alone.  This is not some
individual hacker picking on you, this is either:
1. A worm that is spreading on its own.
2. A hacker that is scanning huge portions of the internet for any
vulnerable server.

In general, these worms and hackers are targetting IIS, so there is very
little chance of an apache server being affected.

As far as "leeching", you need to define what you mean.  If you mean
that
people are inlining your images into their own pages, you should look at
"Prevent image theft" under:
http://httpd.apache.org/docs-2.0/env.html#examples

> P.S. - How can I tell if someone were successful at trying to hack my
> machine?  Is there any status code or such I can look for?

Well, a status code starting in 2 means that the request was successful.
But a successful request does not mean a successful hack (and the
contrary
applies as well, actually).

I don't think there is any magic formula for figuring out if you've been
hacked.  That's why people make big bucks selling crappy intrusion
detection software.

One thing you can try is to extract a part of the request and type it
into
google to see what people are saying about it.  Usually you can find out
what exploit is being used, and make sure you are not vulnerable to that
exploit.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org