[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bizarre apache logs



Hi

I had some bizarre 404 entries in my apache logs. They are very rare, but it
looks as they resulted from an attempted attack. Well say it was a rather
lame attack, but I wonder where the 404 and 400 came from. As the server is
configured, there should be only 403 answers, as the whole http part is
closed. Except for one directory and from the intranet. From the outside one
can access the server via https only.

I don't know if I have to be alerted or something, but I would feel better
if someone could check my set up. Just for making sure, that it is not a
misconfiguration. The server is an older Compaq Proliant 800, some Pentium
133 MHz. Rather slow, perhaps this has an influence.

Below are the error.log and access.log in question an at the end the
relevant section of the httpd.conf.

Regards

Marcel


############################################################################
###
access.log: I put some newlines between the 404 an the rest of it.

80.240.96.146 - - [29/Sep/2002:12:50:03 +0200] "GET /scripts/root.exe?/c+dir
HTT
P/1.0" 403 286 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET /MSADC/root.exe?/c+dir
HTTP/
1.0" 403 284 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
/c/winnt/system32/cmd.exe?/c
+dir HTTP/1.0" 403 294 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
/d/winnt/system32/cmd.exe?/c
+dir HTTP/1.0" 403 294 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/scripts/..%255c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/_vti_bin/..%255c../..%255c.
./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
/_mem_bin/..%255c../..%255c.
./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/msadc/..%255c../..%255c../.
.%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
403 341 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/scripts/..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"


80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
/scripts/..%c0%2f../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"


80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%c0%af../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%c1%9c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
/scripts/..%%35%63../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%%35c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%25%35%63../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
/scripts/..%252f../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"

###########################################################################
In the error.log there are following entries:

[Sun Sep 29 12:50:03 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/MSADC
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/c
[Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/d
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/_vti_bin
[Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/_mem_bin
[Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/msadc
[Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts
[Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
serve
r configuration: /var/www/scripts

####################################################################3

Here comes my httpd.conf

<Location />
       Order allow,deny
       deny from all
</Location>


<VirtualHost _default_:80>
        ServerName      xxx.foo.com
        ServerAlias     xxx.faa.com


<Location />
      Order allow,deny
      allow from 192.x.x.0/24  # allow access only from the intranet

      AuthType Basic
      AuthName "foo"
      AuthLDAPBindDN "xxxxxxxxxxxxxxxxxxxxxxxx"
      AuthLDAPBindPassword "xxxxxxxxxxxxxxxxxxx"
      AuthLDAPUrl ldap://dddddddddddddddddddddddddddddddddddddd
      require valid-user

</Location>

<Location /public>
        Order allow,deny
        allow from all
        satisfy any
</Location>


        <Location /zykadmin>
                Order allow,deny
                allow from 192.x.x.0/24
        </Location>


        <Location /servlets>
                Order allow,deny
                Allow from 192.x.x.0/24
        </Location>

        #### Servlets welche via http zugänglich sind
        WebAppDeploy examples warpConnection /servlets/examples/
        WebAppDeploy lagerchargen warpConnection /servlets/agauga/

</VirtualHost>

<VirtualHost _default_:443>
        DocumentRoot    /var/www
        ServerName      xxx.foo.com
        ServerAlias 	yyy.faa.com

        #### Servlets welche via https zugänglich sind
        WebAppDeploy examples warpConnection /servlets/examples/
        WebAppDeploy lagerchargen warpConnection /servlets/agauga/


        <Location />
               Order allow,deny
               allow from all

                AuthType Basic
                AuthName "iiiiiiiiiiiii"
                AuthLDAPBindDN "ooooooooooooooooooo"
                AuthLDAPBindPassword "xxxxxxxxxx"
                AuthLDAPUrl ldap://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                require valid-user

        </Location>


        <IfModule mod_ssl.c>
                  SSLEngine on
                  SSLCertificateFile    /etc/apache/ssl.crt/server.crt
                  SSLCertificateKeyFile /etc/apache/ssl.key/server.key
#                 SetEnvIf User-Agent ".*MSIE.*" nokeepalive
ssl-unclean-shutdown
        </IfModule>
</VirtualHost>

--------------------

PGP / GPG Key:    http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc



Reply to: