?
Solved

Apache logs *weird* requests

Posted on 2003-03-06
6
Medium Priority
?
160 Views
Last Modified: 2010-03-04
Hi:
I have Apache and Tomcat running on Linux. Apart from the .ida,cmd.exe(Nimbda,Code red) requests which all have status code 404, the server seems to be serving different sites being requested, like www.sun.com which gets status code 200.

Has my server been hacked? What should I do about this?

Thanks for any help.
0
Comment
Question by:lotsofquestions
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:samri
ID: 8086704
any chance of seeing the real logfile (you can change the ip/hostname).
0
 

Author Comment

by:lotsofquestions
ID: 8088682
Hi: I have pasted the relevant part of the log file. HTH.

213.61.192.65 - - [19/Feb/2003:22:57:03 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 367
202.180.172.55 - - [20/Feb/2003:07:05:34 -0500] "HEAD http://www.sun.com/ HTTP/1.0" 200 -
24.118.158.128 - - [20/Feb/2003:07:08:09 -0500] "OPTIONS / HTTP/1.1" 200 0
202.180.172.55 - - [20/Feb/2003:07:22:56 -0500] "GET http://bvcelhexms.virtualave.net/prxjdg/ HTTP/1.0" 404 339
61.153.25.82 - - [20/Feb/2003:09:51:33 -0500] "HEAD / HTTP/1.0" 200 -
136.142.149.30 - - [20/Feb/2003:09:57:16 -0500] "GET / HTTP/1.1" 304 0
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 400 total points
ID: 8091607
Basically, what you have there is some 'script kiddie' using a standard test program to mess around with your system.

The first is an attempted exploit for a windows system, so the individual is not sophisticated enough to even 'fingerprint' your system before trying! The second is an attempt to use the site and test it as a proxy, before confirming the validity of it as a proxy, which fails.

The serving up of the HEAD for http://www.sun.com/ is the default behaviour. My server returns a valid http page stating connection to host lost...i.e that it can't connect to http://www.sun .com

..which is what I'd expect.

Bottom line - you haven't been hacked, just some ignorant individual hoping to misuse your system, and failing.

Hope that helps:)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:pjedmond
ID: 8091616
If you want to be a little more agressive about this individual, you could find the ip address for that host, and report tyhe mfor 'hacking' You may get them blocked or their account cancelled...on the other hand, ISPs are fairly lazy, so probably nothing will happen:(
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 8091628
Another thought...if you want to try this yourself, try telnetting to port 80 of your server, and checking the response after you type in:

HEAD http://www.sun.com/ HTTP/1.0


You will have to press <return> TWICE after entering it - see what you get - I suspect - disconnected..or something similar?
0
 

Author Comment

by:lotsofquestions
ID: 8106619
Thank you very much.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question