Re: Apache logsFrom: Brad (firstname.lastname@example.org)
- Next message: Cedric Blancher: "Re: iptables & nfs"
- Previous message: Geoff Dolman: "iptables & nfs"
- Next in thread: Miguel Beher: "Re: Apache logs"
- Reply: Miguel Beher: "Re: Apache logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: email@example.com (Brad) Date: Thu, 13 Dec 2001 09:57:23 GMT
On Sat, 08 Dec 2001 11:56:11 +0100, Tim Dijkstra wrote:
: I've got a box at home running apache, since a few weeks now. I noticed
: some strange things in the apache logs:
: 188.8.131.52 - - [02/Dec/2001:11:04:45 +0100]
: <knip, goes on a while>
: auaeshxlnhxicvcykuwplrabgzrnoht/.././%50%44%47_%43%41%52%54/./ HTTP/1.0"
: 501 1807
Looks like the HTTP request was url-encoded to try and slip past any
IDS that might get in its way, or to obfuscate the sender's intentions,
or maybe just for the hell of it. Whatever the reason, the above decodes
: I suppose someone is trying to do something nasty here...But a think
: he/she didn't succeed.
Well, PDG_CART is something one might normally see in one's logs if one was
running PDG Shopping Cart software. This, however, looks like a
specially crafted HTTP request to somehow exploit a server believed to be
running this software, presumably by gaining unauthorized access to some
directory named "PDG_CART". A quick Google search indicates that indeed
this particular package doesn't have a stellar security record,
particularly when it comes to keeping certain directories safe, and is
targeted by a number of webserver vulnerability scanners.
: Now the question is; what should I do?
When in panic, when in doubt, run in circles, scream and shout!
: Report it somewhere?
The source IP belongs to Verio, and traces to their Mountain View, CA
facility. You could report it to them.
Or, you could bring that IP up in a browser and be taken to the homepage of
Sygate Technologies, who combine the best of Seagate and Sybase (?!) by
offering a variety of port-scanning services through their website. I
don't, however, see any mention of scanning for vulnerabilities in specific
CGI programs. You may want to read through their site more thoroughly than
I did, or ask them what this is all about, especially if you don't recall
having ever requested such a scan from them.
-- <> "If you think the bottom's fallen out of your world, drink some <> Newcastle Brown Ale and have the world fall out of your bottom." <> --(seen on a bathroom wall)