Detecting hacking attempts - what should browsers *not* request?

From: Dr. David Kirkby (see_my_signature_for_my_real_address_at_hotmail.com)
Date: 05/30/04 

Date: 30 May 2004 13:42:59 -0700

I have a Sun workstation running Solaris 9 with an Apache 1.3.27 web
server (with Sun pathces applied). The web server only serves static
pages - there is no dynamic content at all. No php, javascript etc.

Looking at the error log (/var/log/apache/error_log) I can see some
obvious attempts to hack the machine. People looking for cmd.exe,
root.exe, and various dll's. I'd like to dymamically block the IP's of
such attempts in the firewall, so any attempt to hack will result in
the IP being closed within a second or two. Clearly I need to
determine what is a hacking attempt from what is a mis-configured
browser or similar.

Although the Solaris installation of Apache installed a 'scripts'
directory, I don't want anything to run from there, so have made the
permissions such that nothing can be read.

# ls -ld /var/apache/htdocs/scripts
d--------- 4 root bin 512 Dec 16 13:43
/var/apache/htdocs/scripts

Attempts to access a 'scripts' directory, as in the entries below, are
often recorded in the error_log. Given all the web pages are static,
can I assume *any* record of 'scripts' in the error_log is a sign of
some sort of undesirable behaviour?

[Sun May 23 09:07:01 2004] [crit] [client 64.210.196.197]
(13)Permission denied: /var/apache/htdocs/scripts/.htaccess
pcfg_openfile: unable to check htaccess file, ensure it is readable
[Tue May 25 06:49:14 2004] [crit] [client 63.148.99.237]
(13)Permission denied: /var/apache/htdocs/scripts/.htaccess
pcfg_openfile: unable to check htaccess file, ensure it is readable

So far the firewall is configured to immediatly block any IP that
produces any of the following lines in the Apache error_log file.

root.exe
URI
cmd.exe
dll
asp
default.ida
_mem_bin
_vti_bin
msadc
x01
%5c
NULL.printer
winnt
MSOffice

These seem to be the ones I notice. Any comments on this list ??

I am of course running on Solaris, not Windoze, but I guess if someone
wants to try hacking Windoze boxes, I'd like to block them anyway.

I'm sure someone is going to say my method of dynamically adding
firwall rules to block IP's can be used as a DOS attack. I appreciate
this might be so, but I feel its a risk worth taking.

Relevant Pages

  • Detecting hacking attempts - what should browsers *not* request?
    ... I have a Sun workstation running Solaris 9 with an Apache 1.3.27 web ... The web server only serves static ...
    (comp.sys.sun.admin)
  • RE: New Web Server
    ... Subject: New Web Server ... I have read all of your responses up to this point, ... Then pick the apache module... ... loaded from the ports. ...
    (freebsd-questions)
  • Re: any try this forth webserver? the code looks incomprehensible to me http://www.jwdt.com/~paysan/
    ... statements; what are the control variables in a loop; what arguments ... web server works, then none of this is going to make any sense to ... web servers like Apache, your mind seemed to latch onto the notion ... He only cares about text/html, ...
    (comp.lang.forth)
  • Re: PHP + IIS + Visual Studio.NET 2005 and Apache
    ... The apache version that comes with VS.Php however will shut itself down ... Apache or IIS. ... to use the DBG module installed inside PHP inside the version of Apache ... bundled with VS.php in case you do not have any other web server installed. ...
    (alt.php)
  • IPTABLES & APACHE
    ... I'm aware that apache can be configured to achieve a certain kind ... server is still granted to the BLOCKEDIP address. ... and the blocked IP can still access the web server. ... possible since iptables is what controls the kernel routing. ...
    (comp.os.linux.networking)