Re: Strange entries in Apache access_log

From: Ryan Russell (
Date: 08/30/01

Date: Thu, 30 Aug 2001 11:51:14 -0600 (MDT)
From: Ryan Russell <>
To: Bart Haezeleer <>
Subject: Re: Strange entries in Apache access_log
Message-ID: <Pine.GSO.4.30.0108301146540.25446-100000@mail>

On Thu, 30 Aug 2001, Bart Haezeleer wrote:

> - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer
> HTTP/1.0" 404 280

Someone is checking if you're vulnerable to this:

If you are, it's something to worry about. I think the 404 indicates
that you're probably OK, but check anyway. We've been seeing a lok of
.printer attempts lately..

For people who are vulnerable, you'll get no indication in the web logs
that a successful exploit happened. The only clue is a w3svr restart in
the event logs. I tried a couple of the exploits for this hole when it
can out, and they work really well.

> - - [30/Aug/2001:09:20:04 +0200] "GET
> HTTP/1.1" 200 2890

We get stuff like this every once in a while on our web servers. I don't
know why. I imagine it could happen if someone's DNS got confused or
modified... but I don't know what the point is.


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: