lotsofquestions
asked on
Apache logs *weird* requests
Hi:
I have Apache and Tomcat running on Linux. Apart from the .ida,cmd.exe(Nimbda,Code red) requests which all have status code 404, the server seems to be serving different sites being requested, like www.sun.com which gets status code 200.
Has my server been hacked? What should I do about this?
Thanks for any help.
I have Apache and Tomcat running on Linux. Apart from the .ida,cmd.exe(Nimbda,Code red) requests which all have status code 404, the server seems to be serving different sites being requested, like www.sun.com which gets status code 200.
Has my server been hacked? What should I do about this?
Thanks for any help.
any chance of seeing the real logfile (you can change the ip/hostname).
ASKER
Hi: I have pasted the relevant part of the log file. HTH.
213.61.192.65 - - [19/Feb/2003:22:57:03 -0500] "GET /scripts/..%255c%255c../wi nnt/system 32/cmd.exe ?/c+dir" 404 367
202.180.172.55 - - [20/Feb/2003:07:05:34 -0500] "HEAD http://www.sun.com/ HTTP/1.0" 200 -
24.118.158.128 - - [20/Feb/2003:07:08:09 -0500] "OPTIONS / HTTP/1.1" 200 0
202.180.172.55 - - [20/Feb/2003:07:22:56 -0500] "GET http://bvcelhexms.virtualave.net/prxjdg/ HTTP/1.0" 404 339
61.153.25.82 - - [20/Feb/2003:09:51:33 -0500] "HEAD / HTTP/1.0" 200 -
136.142.149.30 - - [20/Feb/2003:09:57:16 -0500] "GET / HTTP/1.1" 304 0
213.61.192.65 - - [19/Feb/2003:22:57:03 -0500] "GET /scripts/..%255c%255c../wi
202.180.172.55 - - [20/Feb/2003:07:05:34 -0500] "HEAD http://www.sun.com/ HTTP/1.0" 200 -
24.118.158.128 - - [20/Feb/2003:07:08:09 -0500] "OPTIONS / HTTP/1.1" 200 0
202.180.172.55 - - [20/Feb/2003:07:22:56 -0500] "GET http://bvcelhexms.virtualave.net/prxjdg/ HTTP/1.0" 404 339
61.153.25.82 - - [20/Feb/2003:09:51:33 -0500] "HEAD / HTTP/1.0" 200 -
136.142.149.30 - - [20/Feb/2003:09:57:16 -0500] "GET / HTTP/1.1" 304 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to be a little more agressive about this individual, you could find the ip address for that host, and report tyhe mfor 'hacking' You may get them blocked or their account cancelled...on the other hand, ISPs are fairly lazy, so probably nothing will happen:(
Another thought...if you want to try this yourself, try telnetting to port 80 of your server, and checking the response after you type in:
HEAD http://www.sun.com/ HTTP/1.0
You will have to press <return> TWICE after entering it - see what you get - I suspect - disconnected..or something similar?
HEAD http://www.sun.com/ HTTP/1.0
You will have to press <return> TWICE after entering it - see what you get - I suspect - disconnected..or something similar?
ASKER
Thank you very much.