httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Horn <peter.h...@bigpond.com>
Subject [users@httpd] Re: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.test0:)
Date Thu, 19 Aug 2010 01:12:55 GMT
  On 06:59, Norman Khine wrote:
> i get these in my
>
> # tail -f /var/log/apache2/error_log
>
> [Tue Aug 17 15:13:00 2010] [notice] Apache/2.2.15 (Unix)
> mod_ssl/2.2.15 OpenSSL/0.9.8o configured -- resuming normal operations
> [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
> [Tue Aug 17 15:16:26 2010] [error] [client 89.19.18.114] client sent
> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
> /w00tw00t.at.ISC.SANS.DFind:)
> [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
> [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does
> not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f
> [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does
> not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f
> [Tue Aug 17 15:20:30 2010] [error] [client 203.127.11.214] client sent
> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
> /w00tw00t.at.ISC.SANS.test0:)
> [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/test_500k.bin
> [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does
> not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980
>
>
> from the IP addresses i see they originate from turkey, singapore and
> from users from within ovh.com this is my host.
>
> does this mean that my server is being probed?
>
> thanks
>
>
Hi Norman,
Yes, the w00tw00t is a good sign of probing. It is one of many that you 
will get to know (but probably not love!) if you watch your logs. They 
are looking for ways to compromise your server for whatever nefarious 
purposes. I suggest you implement a default name virtual host that 
rejects all requests. That will at least stop those that are just 
scanning IP addresses looking for responses on port 80. (No prober has 
yet found my server by name, though about 60% of my total traffic is 
IP-addressed probes.)
Regards,
Peter


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message