Re: Strange entries in Apache access_log

From: Ryan Russell (ryan@securityfocus.com)
Date: 08/30/01

Previous message: Curt Purdy: "RE: ntoskrnl.exe issue"
Next in thread: Jose Nazario: "Re: Strange entries in Apache access_log"
Reply: Jose Nazario: "Re: Strange entries in Apache access_log"
Reply: Sven Koch: "Re: Strange entries in Apache access_log"
Reply: Ben Ford: "Re: Strange entries in Apache access_log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Aug 2001 11:51:14 -0600 (MDT)
From: Ryan Russell <ryan@securityfocus.com>
To: Bart Haezeleer <bart.haezeleer@wim.vlaanderen.be>
Subject: Re: Strange entries in Apache access_log
Message-ID: <Pine.GSO.4.30.0108301146540.25446-100000@mail>

On Thu, 30 Aug 2001, Bart Haezeleer wrote:

> 64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer
> HTTP/1.0" 404 280

Someone is checking if you're vulnerable to this:
http://www.securityfocus.com/bid/2674

If you are, it's something to worry about. I think the 404 indicates
that you're probably OK, but check anyway. We've been seeing a lok of
.printer attempts lately..

For people who are vulnerable, you'll get no indication in the web logs
that a successful exploit happened. The only clue is a w3svr restart in
the event logs. I tried a couple of the exploits for this hole when it
can out, and they work really well.

> 63.251.5.46 - - [30/Aug/2001:09:20:04 +0200] "GET
> http://www.yahoo.com/index.html HTTP/1.1" 200 2890

We get stuff like this every once in a while on our web servers. I don't
know why. I imagine it could happen if someone's DNS got confused or
modified... but I don't know what the point is.

Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Curt Purdy: "RE: ntoskrnl.exe issue"
Next in thread: Jose Nazario: "Re: Strange entries in Apache access_log"
Reply: Jose Nazario: "Re: Strange entries in Apache access_log"
Reply: Sven Koch: "Re: Strange entries in Apache access_log"
Reply: Ben Ford: "Re: Strange entries in Apache access_log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Strange entries in Apache access_log
... Strange entries in Apache access_log ... Ryan Russell wrote: ... you'll get no indication in the web logs ...
(Incidents)
Re: Problem with Apache22
... I have a problem where my Apache procs are dying almost exactly every ... minutes as you can from the messages and web logs below: ... used in the machine (e.g. built on one machine with CPU optimizations ... Are you using PHP as mod_php? ...
(freebsd-questions)
Re: Internally generated spam - but from where?
... could generate many mails? ... If it is not apache try sniffing. ... I have searched my web logs for ...
(comp.mail.sendmail)