Security Incidents mailing list archives

Re: Strange entries in Apache access_log

From: Ben Ford <bford () securityexchange net>
Date: Sat, 01 Sep 2001 14:12:34 -0700

Ryan Russell wrote:

On Thu, 30 Aug 2001, Bart Haezeleer wrote:

64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer
HTTP/1.0" 404 280


Someone is checking if you're vulnerable to this:
http://www.securityfocus.com/bid/2674

If you are, it's something to worry about.  I think the 404 indicates
that you're probably OK, but check anyway.  We've been seeing a lok of
.printer attempts lately..

For people who are vulnerable, you'll get no indication in the web logs
that a successful exploit happened.  The only clue is a w3svr restart in
the event logs.  I tried a couple of the exploits for this hole when it
can out, and they work really well.


Err . .  I think you missed the fact that he's running Apache, not IIS!  ;)

-b


--
#===================================================================#
# More dead people have written in support of Microsoft against the #
# DOJ than any other single group, leading UMSA (United MS Shills   #
# of America) President Steve Barkto to lodge a formal complaint.   #
#===================================================================#




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Strange entries in Apache access_log Ryan Russell (Sep 01)
- Re: Strange entries in Apache access_log Sven Koch (Sep 02)
- Re: Strange entries in Apache access_log Ben Ford (Sep 02)
- <Possible follow-ups>
- Re: Strange entries in Apache access_log Jose Nazario (Sep 01)
  - Re: Strange entries in Apache access_log //Stany (Sep 02)