Re: strange http get requests in apache access logs



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

aldiones wrote:

Could you please share how you prevented this from happening in
your server?

It would be greatly appreciated.

Thanks!

On 10/16/06, *rowland onobrauche *
<rowland.onobrauche@xxxxxxxxxxxxx
<mailto:rowland.onobrauche@xxxxxxxxxxxxx>> wrote:




Aubs wrote:

Care to share with all? on the list - After all you did ask for
help :)

On 13/10/06, *rowland onobrauche* <
rowland.onobrauche@xxxxxxxxxxxxx
<mailto:rowland.onobrauche@xxxxxxxxxxxxx>
<mailto:rowland.onobrauche@xxxxxxxxxxxxx
<mailto:rowland.onobrauche@xxxxxxxxxxxxx>>> wrote:


Digital Ebola wrote:

On 10/13/06, rowland onobrauche
<rowland.onobrauche@xxxxxxxxxxxxx
<mailto:rowland.onobrauche@xxxxxxxxxxxxx>

<mailto: rowland.onobrauche@xxxxxxxxxxxxx
<mailto:rowland.onobrauche@xxxxxxxxxxxxx>>>
wrote:


Hi all.

Im getting logs such as

"GET
http://www.escorts-etc.com/cgi-bin/ftop100/rankem.cgi?id=gagvault
HTTP/1.0" 200 147 " http://www.gagvault.com/linkspage.html";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

In some of my httpd access logs, even though this type of site
is not existant on the server. Anyone seen this before??



-

------------------------------------------------------------------------------

This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3
in Las Vegas. World renowned security experts reveal tomorrow's
threats today. Free of vendor pitches, the Briefings are designed
to be pragmatic regardless of your security environment.
Featuring 36 hands-on training courses and 10 conference tracks,
networking opportunities with over 2,500 delegates from 40+
nations.

http://www.blackhat.com -

------------------------------------------------------------------------------





Are you running any type of proxy configuration?





No proxy, but someone has explained what the problem is.

thanks very much to all


-
------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in
Las Vegas. World renowned security experts reveal tomorrow's
threats today. Free of vendor pitches, the Briefings are designed
to be pragmatic regardless of your security environment. Featuring
36 hands-on training courses and 10 conference tracks, networking
opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com -
----------------------------------------------------------------------------






Thanks to all for the help.

I have since found that it was someone scanning for an open proxy.


regards

rowlando


-
------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless
of your
security environment. Featuring 36 hands-on training courses and 10
conference
tracks, networking opportunities with over 2,500 delegates from 40+
nations.

http://www.blackhat.com
-
------------------------------------------------------------------------------




-- Good design adds value faster than it adds cost.


All i could do was block the ip from the whole network and installed
mod_security on this particular server.


rowlando


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFNK+Hn71Wg8vs0SURAqVwAJ9idgF6L8KBSnIBjtYuaZ0geZmVkQCgoe7N
jObgBm3CqkASSUBvRj3tkFY=
=Vp2w
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------



Relevant Pages

  • RE: Re: Strange mail with number in subject line and body
    ... Attend the Black Hat Briefings & Training USA, ... World renowned security experts reveal tomorrow.s threats today. ... Featuring 36 hands-on training courses and 10 ...
    (Incidents)
  • Re: strange http get requests in apache access logs
    ... Attend the Black Hat Briefings & Training USA, ... World renowned security experts reveal tomorrow's threats today. ... Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. ... Featuring 36 hands-on training courses and 10 conference ...
    (Incidents)
  • Re: Suspicious 404s
    ... Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. ... World renowned security experts reveal tomorrow's threats today. ... Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. ...
    (Incidents)
  • Re: New PowerPoint Trojan installs itself as LSP
    ... Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. ... World renowned security experts reveal tomorrow's threats today. ... Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. ...
    (Incidents)
  • Re: suspicious firewall rules in WinXP firewall
    ... Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. ... World renowned security experts reveal tomorrow's threats today. ... Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. ...
    (Incidents)