Re: Strange entries in Apache access_log

From: Ryan Russell (ryan@securityfocus.com)
Date: 08/30/01


Date: Thu, 30 Aug 2001 11:51:14 -0600 (MDT)
From: Ryan Russell <ryan@securityfocus.com>
To: Bart Haezeleer <bart.haezeleer@wim.vlaanderen.be>
Subject: Re: Strange entries in Apache access_log
Message-ID: <Pine.GSO.4.30.0108301146540.25446-100000@mail>

On Thu, 30 Aug 2001, Bart Haezeleer wrote:

> 64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer
> HTTP/1.0" 404 280

Someone is checking if you're vulnerable to this:
http://www.securityfocus.com/bid/2674

If you are, it's something to worry about. I think the 404 indicates
that you're probably OK, but check anyway. We've been seeing a lok of
.printer attempts lately..

For people who are vulnerable, you'll get no indication in the web logs
that a successful exploit happened. The only clue is a w3svr restart in
the event logs. I tried a couple of the exploits for this hole when it
can out, and they work really well.

> 63.251.5.46 - - [30/Aug/2001:09:20:04 +0200] "GET
> http://www.yahoo.com/index.html HTTP/1.1" 200 2890

We get stuff like this every once in a while on our web servers. I don't
know why. I imagine it could happen if someone's DNS got confused or
modified... but I don't know what the point is.

                                        Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Strange entries in Apache access_log
    ... Strange entries in Apache access_log ... Ryan Russell wrote: ... you'll get no indication in the web logs ...
    (Incidents)
  • Re: Problem with Apache22
    ... I have a problem where my Apache procs are dying almost exactly every ... minutes as you can from the messages and web logs below: ... used in the machine (e.g. built on one machine with CPU optimizations ... Are you using PHP as mod_php? ...
    (freebsd-questions)
  • Re: Internally generated spam - but from where?
    ... could generate many mails? ... If it is not apache try sniffing. ... I have searched my web logs for ...
    (comp.mail.sendmail)