On Wed, 24 Oct 2001, smiler wrote: > It´s possible to "cheat" a Apache SysAdministrator and make him think that > his server didn´t log a HTTP request or make him think that a request has > been made by another Ip address. > This "cheating" is only valid when the log is displayed on the screen using > common unix utils as cat, tail, grep, etc... > This will not work with the kind of sysadmin that edit the logs using vi or > even print them to read at night on bed eh eh :-) > I am not sure if this can be considered as a bug or as a feature (?) but in > any case it will surely lead apache sysadmins into mistake !! I cannot reproduce this on RedHat Linux 7.0, apache 1.3.19. > ----------Technique---------- > > To make a request and to make it seem like it came from NO IP ADDRESS at > all, the request should be made as this : > > GET / HTTP/1.0 \r\r\n > > In this case APACHE will print in the log file the carriage return > character. So when we try to tail the access_log file it will be shown in > the screen as : > > " 414 3461.251 - - [24/Oct/2001:18:58:18 +0100] "GET / HTTP/1.0 GET / HTTP/1.0 \r\r\n gives this log entry: 194.182.238.30 - - [25/Oct/2001:07:54:01 +0200] "GET / HTTP/1.0 \r\r\n" 200 510 "-" "-" > A normal line would be : > > 127.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164 > > The normal line output will help us to understand that what happens is cat > made a carriage return after the HTTP/1.0 and printed the rest of the log > over the Ip Address field. > We can also make it look like the request came from another Ip address, and > this is preferable because like this the SysAdmin will see no apparent > strange behaviour in the logfile. Just be carefull with the timestamp !! > So the request should be : > > GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / > HTTP/1.0\r\n > > And the logfile will appear like this : > > 10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164 The above gives this log entry: 194.182.238.3 - - [25/Oct/2001:07:56:41 +0200] "GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0\r\n" 200 510 "-" "-" Rasmus -- -- [ Rasmus 'Møffe' Bøg Hansen ] --------------------------------------- I haven't lost my mind; I have backed it up on tape somewhere........ --------------------------------- [ moffe at amagerkollegiet dot dk ] --
