Security Incidents mailing list archives
Re: Strange entries in Apache access_log
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 30 Aug 2001 11:51:14 -0600 (MDT)
On Thu, 30 Aug 2001, Bart Haezeleer wrote:
64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer HTTP/1.0" 404 280
Someone is checking if you're vulnerable to this: http://www.securityfocus.com/bid/2674 If you are, it's something to worry about. I think the 404 indicates that you're probably OK, but check anyway. We've been seeing a lok of .printer attempts lately.. For people who are vulnerable, you'll get no indication in the web logs that a successful exploit happened. The only clue is a w3svr restart in the event logs. I tried a couple of the exploits for this hole when it can out, and they work really well.
63.251.5.46 - - [30/Aug/2001:09:20:04 +0200] "GET http://www.yahoo.com/index.html HTTP/1.1" 200 2890
We get stuff like this every once in a while on our web servers. I don't know why. I imagine it could happen if someone's DNS got confused or modified... but I don't know what the point is. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Strange entries in Apache access_log Ryan Russell (Sep 01)
- Re: Strange entries in Apache access_log Sven Koch (Sep 02)
- Re: Strange entries in Apache access_log Ben Ford (Sep 02)
- <Possible follow-ups>
- Re: Strange entries in Apache access_log Jose Nazario (Sep 01)
- Re: Strange entries in Apache access_log //Stany (Sep 02)