Apache logs *weird* requests

Posted on 2003-03-06
Medium Priority
Last Modified: 2010-03-04
I have Apache and Tomcat running on Linux. Apart from the .ida,cmd.exe(Nimbda,Code red) requests which all have status code 404, the server seems to be serving different sites being requested, like www.sun.com which gets status code 200.

Has my server been hacked? What should I do about this?

Thanks for any help.
Question by:lotsofquestions
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 15

Expert Comment

ID: 8086704
any chance of seeing the real logfile (you can change the ip/hostname).

Author Comment

ID: 8088682
Hi: I have pasted the relevant part of the log file. HTH. - - [19/Feb/2003:22:57:03 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 367 - - [20/Feb/2003:07:05:34 -0500] "HEAD http://www.sun.com/ HTTP/1.0" 200 - - - [20/Feb/2003:07:08:09 -0500] "OPTIONS / HTTP/1.1" 200 0 - - [20/Feb/2003:07:22:56 -0500] "GET http://bvcelhexms.virtualave.net/prxjdg/ HTTP/1.0" 404 339 - - [20/Feb/2003:09:51:33 -0500] "HEAD / HTTP/1.0" 200 - - - [20/Feb/2003:09:57:16 -0500] "GET / HTTP/1.1" 304 0
LVL 22

Accepted Solution

pjedmond earned 400 total points
ID: 8091607
Basically, what you have there is some 'script kiddie' using a standard test program to mess around with your system.

The first is an attempted exploit for a windows system, so the individual is not sophisticated enough to even 'fingerprint' your system before trying! The second is an attempt to use the site and test it as a proxy, before confirming the validity of it as a proxy, which fails.

The serving up of the HEAD for http://www.sun.com/ is the default behaviour. My server returns a valid http page stating connection to host lost...i.e that it can't connect to http://www.sun .com

..which is what I'd expect.

Bottom line - you haven't been hacked, just some ignorant individual hoping to misuse your system, and failing.

Hope that helps:)
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

LVL 22

Expert Comment

ID: 8091616
If you want to be a little more agressive about this individual, you could find the ip address for that host, and report tyhe mfor 'hacking' You may get them blocked or their account cancelled...on the other hand, ISPs are fairly lazy, so probably nothing will happen:(
LVL 22

Expert Comment

ID: 8091628
Another thought...if you want to try this yourself, try telnetting to port 80 of your server, and checking the response after you type in:

HEAD http://www.sun.com/ HTTP/1.0

You will have to press <return> TWICE after entering it - see what you get - I suspect - disconnected..or something similar?

Author Comment

ID: 8106619
Thank you very much.

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question