Re: Apache logs

From: Brad (
Date: 12/13/01

From: (Brad)
Date: Thu, 13 Dec 2001 09:57:23 GMT

On Sat, 08 Dec 2001 11:56:11 +0100, Tim Dijkstra wrote:
: I've got a box at home running apache, since a few weeks now. I noticed
: some strange things in the apache logs:
: - - [02/Dec/2001:11:04:45 +0100]
: "HEAD%00/%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20nyomlwiklafqwzlxzna/../../i
: ndex.html%3fcsqwfwfvxopabeg=/../cvpjwbsmxakqxlgjhgxiounradpisocmzbmlvqr
: awwuaqgqxzhqjbmxi
: <knip, goes on a while>
: auaeshxlnhxicvcykuwplrabgzrnoht/.././%50%44%47_%43%41%52%54/./ HTTP/1.0"
: 501 1807

Looks like the HTTP request was url-encoded[1] to try and slip past any
IDS[2] that might get in its way, or to obfuscate the sender's intentions,
or maybe just for the hell of it. Whatever the reason, the above decodes

HEAD&/ HTTP/1.0\r\n
Accept: nyomlwiklafqwzlxzna/../../index.html?csqwfwfvxopabeg=/../cvpjwbsmx
[my linebreak]
[your snip]
auaeshxlnhxicvcykuwplrabgzrnoht.././PDG_CART/./ HTTP/1.0

: I suppose someone is trying to do something nasty here...But a think
: he/she didn't succeed.

Well, PDG_CART is something one might normally see in one's logs if one was
running PDG Shopping Cart software[3]. This, however, looks like a
specially crafted HTTP request to somehow exploit a server believed to be
running this software, presumably by gaining unauthorized access to some
directory named "PDG_CART". A quick Google search[4] indicates that indeed
this particular package doesn't have a stellar security record,
particularly when it comes to keeping certain directories safe, and is
targeted by a number of webserver vulnerability scanners.

: Now the question is; what should I do?

When in panic, when in doubt, run in circles, scream and shout!

: Report it somewhere?

The source IP belongs to Verio[5], and traces to their Mountain View, CA
facility. You could report it to them.

Or, you could bring that IP up in a browser and be taken to the homepage of
Sygate Technologies[6], who combine the best of Seagate and Sybase (?!) by
offering a variety of port-scanning services through their website. I
don't, however, see any mention of scanning for vulnerabilities in specific
CGI programs. You may want to read through their site more thoroughly than
I did, or ask them what this is all about, especially if you don't recall
having ever requested such a scan from them.

[1] <URL:>
[2] <URL:>
[3] <URL:>
[4] <URL:>
[5] <URL:>
[6] <URL:>

Regards, Brad.

<>  "If you think the bottom's fallen out of your world, drink some
<>   Newcastle Brown Ale and have the world fall out of your bottom."
<>   --(seen on a bathroom wall)