Re: Messages in HTTPD log

From: Mark Taylor (mtaylor_at_lrim.com)
Date: 08/31/03 

Date: 31 Aug 2003 08:43:02 -0500

navinsam_in@hotmail.com (Mica) wrote in
news:ee43c964.0308310524.2c178639@posting.google.com:

> I'm running apache 2.0 on RH Linux behind a firewall. I have setup
> DNAT to enable port 80 requests to be forwarded to my httpd server in
> the internal n/w.
>
> I found this line in my httpd access_log .
>
> xx.xx.xx.xx - - [31/Aug/2003:01:28:45 -0400] "GET
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404
> 1050 "-" "-"
>
> and the following lines in error_log
>
> [Sun Aug 31 01:28:44 2003] [error] [client xx.xx.xx.x] File does not
> exist: /var/www/html/scripts
>
> [Sun Aug 31 01:28:45 2003] [error] [client xx.xx.xx.xx] File does not
> exist: /var/www/html/scripts
>
>
> What was the person trying to accomplish ? I guess he didn't find much
> success .
> Can I do anything more to prevent such requests coming to my webserver
> .
>
> TIA
> Navin.
>

It is a user looking for a windows machine running IIS, and attempting to
list the directory in hopes of hacking you. Not any consideration to a
*nix machine, and *probably* will not work even if you are running Apache
on Windows.

There are some rules you could write to keep the log entries from occurring
but no way besides blocking the ip from your network to prevent the
attempts.

Mark