Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 54185 invoked from network); 3 Sep 2003 15:57:51 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 3 Sep 2003 15:57:51 -0000 Received: (qmail 74152 invoked by uid 500); 3 Sep 2003 15:40:01 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 74082 invoked by uid 500); 3 Sep 2003 15:40:00 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 74043 invoked from network); 3 Sep 2003 15:39:59 -0000 Received: from unknown (HELO hotmail.com) (65.54.247.132) by daedalus.apache.org with SMTP; 3 Sep 2003 15:39:59 -0000 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 3 Sep 2003 08:40:00 -0700 Received: from 195.58.67.196 by by2fd.bay2.hotmail.msn.com with HTTP; Wed, 03 Sep 2003 15:40:00 GMT X-Originating-IP: [195.58.67.196] X-Originating-Email: [kannan_mca@hotmail.com] From: "KAN NAN" To: users@httpd.apache.org Bcc: Date: Wed, 03 Sep 2003 15:40:00 +0000 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_3f86_3f15_7a2b" Message-ID: X-OriginalArrivalTime: 03 Sep 2003 15:40:00.0393 (UTC) FILETIME=[A2A0FF90:01C37231] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Request ! X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ------=_NextPart_000_3f86_3f15_7a2b Content-Type: text/html

Dear Friends,

I even tried wget command, It generates a http request and downloads the page and saves in the current directly. But how those people could have used this utility to POST something into my web server.

awaiting ur replies,
-kannan


 

 

Over 6,70,000 brides and grooms. Click here to join for free. ------=_NextPart_000_3f86_3f15_7a2b Content-Type: message/rfc822 X-Message-Info: JGTYoYF78jFoPEbbGCK29/lk3Ob85IW8 Received: from mail.apache.org ([208.185.179.12]) by mc9-f6.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 3 Sep 2003 08:10:23 -0700 Received: (qmail 51567 invoked by uid 500); 3 Sep 2003 15:02:51 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 51437 invoked from network); 3 Sep 2003 15:02:49 -0000 Received: from unknown (HELO hotmail.com) (65.54.247.19) by daedalus.apache.org with SMTP; 3 Sep 2003 15:02:49 -0000 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 3 Sep 2003 08:02:45 -0700 Received: from 195.58.67.196 by by2fd.bay2.hotmail.msn.com with HTTP; Wed, 03 Sep 2003 15:02:45 GMT X-Originating-IP: [195.58.67.196] X-Originating-Email: [kannan_mca@hotmail.com] From: "KAN NAN" To: users@httpd.apache.org Bcc: Date: Wed, 03 Sep 2003 15:02:45 +0000 Mime-Version: 1.0 Content-Type: text/html Message-ID: X-OriginalArrivalTime: 03 Sep 2003 15:02:45.0523 (UTC) FILETIME=[6E8AE630:01C3722C] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Request ! Return-Path: users-return-31887-kannan_mca=hotmail.com@httpd.apache.org

Dear friends,

I accept the points given by Mr. Garriss and Mr. Geoffrey.
See, these are the log entries from Apache. It is really very difficult to identify what they were trying to do. The reason why I was quite sure that they were using telnet is, previously our system suffered, at that time I could see that these people were using CONNECT maila.microsoft.com:25....., so in my apache config file, I blocked all kind of CONNECT request. So, it solved me. But this time, just have a look at the log entries:

211.147.1.82 - - [02/Sep/2003:08:59:31 +0100] "GET / HTTP/1.1" 400 380
211.147.1.82 - - [02/Sep/2003:08:59:43 +0100] "POST / HTTP/1.1" 500 604

I could very well Identify from where these IP-Address belongs to, I can very well block it, but its not a permanent solution.
You can very well see that, First request was a bad request (400) and immediately these people tried to POST something which generated Internal Server Error (500).
I could see such entries in the past also, but now we need to fix it up.

waiting for your comments,
thanks,
-kannan

>From: mgarriss

>Reply-To: users@httpd.apache.org
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] Request !
>Date: Wed, 03 Sep 2003 08:46:21 -0600
>
>KAN NAN wrote:
>
>>Dear Friends,
>>We have a web-system using Apache web server and Jserv(servlet
>>engine) running on windows 2000. Our system was attempted to hack
>>from some people. Iam very sure they were using telnet to access
>>the port 80 of my webserver. I really dont know what was their
>>intention. Server started giving Internal server error, immediately
>>after their request. It affected us a lot.
>>Can any one tell me how I can prevent such kind of attacks, Or how
>>I can block entire telnet request into my web system. I tried
>>filtering User-Agent string in the header, it didn't work, I tried
>>using telnet to generate a http request by giving input for
>>User-Agent as Mozilla/4.0....., It accepted, so there is no way
>>that I can filter using User-Agent, they can easily pretend as if
>>the request is from a normal browser.
>
>
>Port 80 is port 80. It is very easy to make a packet look like it's
>a valid http request. In fact, IT IS an valid http request if it
>looks like one and this is a good thing. You can take any scripting
>language, as another poster pointed out, and write up a little
>mini-client very easy, this is also a good thing. Think of programs
>like 'wget' that use port HTTP over port 80. Also imagine if the
>entire world restricted there servers to IE and Mozilla (not
>possible. but just imagine). It would make it impossible to compete
>with these products.
>
>If you have your system configured and set up properly you will
>avoid most attacks. Only the very sophisticated attacks will be a
>problem and being able to block 'telnet' will not help you here.
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project.
>See for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>

The Tech Ed advantage. You could have it too! Join right away! --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org ------=_NextPart_000_3f86_3f15_7a2b Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org ------=_NextPart_000_3f86_3f15_7a2b--