Security Incidents mailing list archives

Re: Strange entries in Apache access_log

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 30 Aug 2001 11:51:14 -0600 (MDT)

On Thu, 30 Aug 2001, Bart Haezeleer wrote:

64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer
HTTP/1.0" 404 280


Someone is checking if you're vulnerable to this:
http://www.securityfocus.com/bid/2674

If you are, it's something to worry about.  I think the 404 indicates
that you're probably OK, but check anyway.  We've been seeing a lok of
.printer attempts lately..

For people who are vulnerable, you'll get no indication in the web logs
that a successful exploit happened.  The only clue is a w3svr restart in
the event logs.  I tried a couple of the exploits for this hole when it
can out, and they work really well.

63.251.5.46 - - [30/Aug/2001:09:20:04 +0200] "GET
http://www.yahoo.com/index.html HTTP/1.1" 200 2890


We get stuff like this every once in a while on our web servers.  I don't
know why.  I imagine it could happen if someone's DNS got confused or
modified... but I don't know what the point is.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Strange entries in Apache access_log Ryan Russell (Sep 01)
- Re: Strange entries in Apache access_log Sven Koch (Sep 02)
- Re: Strange entries in Apache access_log Ben Ford (Sep 02)
- <Possible follow-ups>
- Re: Strange entries in Apache access_log Jose Nazario (Sep 01)
  - Re: Strange entries in Apache access_log //Stany (Sep 02)