Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 219
  • Last Modified:

Apache Logs

I need someone to tell me what this idi0t is trying to do. Here's a patch from the logs, and he has been trying this for awhile. I know who the jerk is, he's my old employer, but I can't figure out what he's trying to do.

[Wed Mar 12 01:52:15 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:16 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:19 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:19 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:20 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:12 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:13 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:27 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:28 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:09 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:21 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:24 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:25 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:27 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:29 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/

0
technick
Asked:
technick
  • 2
  • 2
1 Solution
 
samriCommented:
hi technick,

I have no idea of what is causing this.  Searched the web, and found the following links:

most helpful (I think).
http://www.geocrawler.com/archives/3/148/2002/6/50/9005474/


Apology on having to give you the Google link:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22web+root+owned+by+privileged+user%22
0
 
pjedmondCommented:
I suspect that you have an apache server with mod_frontpage..or some other cgi/mod extension.

This particular error occurs if you try and access the extensions directly from the remote web browser, instead of them be accessed by the webserver as a result of a valid webpage that requires them being served up.

Simplest example I can give is if you have a server with server side includes enabled, and you have the header and footer of your page in seperate files so you only have to edit them once for your whole site:

<!--#include file="header.txt"-->

Accessing index.html and having header.txt included in it is fine, and the expected behaviour.
Trying to access header.txt directly is not desired or catered for.

In the case of mod_fp you have a number of additional files required by the pages to function correctly. Trying to access these additional files would cause a similar fault to that you are experiencing.

Other possible options include trying to escape outside the webroot using ../../.. (unicode type of exploits)

or perhaps trying to display .htaccess files using various unicode exploits.



Overall, given the above log, I'm going to go for someone trying to use ../../.. unicode exploits, because a number of linux distributions truncate this type of request at the webroot level.

The goot news is, that it doesn't look as if he's succeeding, and as a result of that log, if it's a regular occurance from a specific ip - block the ip, and make a formal complaint to the isp that owns that ip.

Hope that helps:)

0
 
technickAuthor Commented:
Can I email you the entire access_log & error_log - I don't think we are running fp mod on here anymore. I will find out later on today. It sounds like my old employer "might" be copying the website to his computer or something using frontpage maybe. I'd raise the points on this also if you help me out further with this.

Nick,
0
 
technickAuthor Commented:
Also i'm not using server side includes, I don't get this error when I visit the site from my ip address.
0
 
pjedmondCommented:
A bit harsh - I believe my answer is spot on and indeed gives those errors!

Although the questioner may not be using SSI, the same principles apply. Effectively, the person accessing the web site has identified files (or directories)...in this case the root directory or subsidary files outside the root that you get with fp extensions, or something similar, that the external user is trying to access.

Having said that the 'access_log' will give the exact format of what is being attempted. The question then becomes 'Are the requests being individually crafted', or mor likely in this case 'automated' using a tool of some sort

I suppose I should have been checking answers a littl more closely when this was around and I could have got a it more information to finish it off:(
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now