?
Solved

Apache Logs

Posted on 2003-03-12
7
Medium Priority
?
216 Views
Last Modified: 2010-03-04
I need someone to tell me what this idi0t is trying to do. Here's a patch from the logs, and he has been trying this for awhile. I know who the jerk is, he's my old employer, but I can't figure out what he's trying to do.

[Wed Mar 12 01:52:15 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:16 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:17 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:19 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:19 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 01:52:20 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:12 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:13 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:27 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 02:02:28 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:09 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:21 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:24 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:25 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:27 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/
[Wed Mar 12 16:12:29 2003] [error] [client 64.238.124.141] web root owned by privileged user: /usr/local/www/vhosts/twistedliving.com/htdocs/

0
Comment
Question by:technick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:samri
ID: 8125887
hi technick,

I have no idea of what is causing this.  Searched the web, and found the following links:

most helpful (I think).
http://www.geocrawler.com/archives/3/148/2002/6/50/9005474/


Apology on having to give you the Google link:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22web+root+owned+by+privileged+user%22
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 800 total points
ID: 8131632
I suspect that you have an apache server with mod_frontpage..or some other cgi/mod extension.

This particular error occurs if you try and access the extensions directly from the remote web browser, instead of them be accessed by the webserver as a result of a valid webpage that requires them being served up.

Simplest example I can give is if you have a server with server side includes enabled, and you have the header and footer of your page in seperate files so you only have to edit them once for your whole site:

<!--#include file="header.txt"-->

Accessing index.html and having header.txt included in it is fine, and the expected behaviour.
Trying to access header.txt directly is not desired or catered for.

In the case of mod_fp you have a number of additional files required by the pages to function correctly. Trying to access these additional files would cause a similar fault to that you are experiencing.

Other possible options include trying to escape outside the webroot using ../../.. (unicode type of exploits)

or perhaps trying to display .htaccess files using various unicode exploits.



Overall, given the above log, I'm going to go for someone trying to use ../../.. unicode exploits, because a number of linux distributions truncate this type of request at the webroot level.

The goot news is, that it doesn't look as if he's succeeding, and as a result of that log, if it's a regular occurance from a specific ip - block the ip, and make a formal complaint to the isp that owns that ip.

Hope that helps:)

0
 
LVL 1

Author Comment

by:technick
ID: 8138244
Can I email you the entire access_log & error_log - I don't think we are running fp mod on here anymore. I will find out later on today. It sounds like my old employer "might" be copying the website to his computer or something using frontpage maybe. I'd raise the points on this also if you help me out further with this.

Nick,
0
 
LVL 1

Author Comment

by:technick
ID: 8138255
Also i'm not using server side includes, I don't get this error when I visit the site from my ip address.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11717264
A bit harsh - I believe my answer is spot on and indeed gives those errors!

Although the questioner may not be using SSI, the same principles apply. Effectively, the person accessing the web site has identified files (or directories)...in this case the root directory or subsidary files outside the root that you get with fp extensions, or something similar, that the external user is trying to access.

Having said that the 'access_log' will give the exact format of what is being attempted. The question then becomes 'Are the requests being individually crafted', or mor likely in this case 'automated' using a tool of some sort

I suppose I should have been checking answers a littl more closely when this was around and I could have got a it more information to finish it off:(
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question