Re: apache weird GET

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11:22 PM +0100 1/30/04, Leo wrote:

True, although that's the way they come out of the CD!

Ah! Sorry... Apache, PHP, mod_perl and the like are some of the things I'll download the source for and always build by hand. I like to know that I can rebuild apache the moment that a patch or a new version is released.


No, not a ton, but a few. May it be some kind of port scan ?

The GET www.yahoo.com one is definitely an attempt at a proxy request. Since you have apache configured not to handle proxy requests, it's probably just your server returning the default apache page and not actually fulfilling the request.


Other requests are even stranger like with variables, very long like this:


ac984dde.ipt.aol.com - - [25/Jan/2004:12:58:47 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff %u0078%u0000%u00=a HTTP/1.0" 404 1088 "-" "-"

Stuff like the above are just random hosts searching for common vulnerabilities in IIS servers. My logs are full of such requests. Nothing to worry about as long as you're running apache.


and these are even more suspicious:


atenas.srh.uerj.br - - [25/Jan/2004:20:54:51 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 400 1003 "-" "-" 211.161.172.45 - - [25/Jan/2004:22:03:00 +0100] "CONNECT 207.217.125.20:25 HTTP/1.1" 405 1010 "-" "-"

This is someone looking to capitalize on a buffer overflow exploit for Microsoft's Frontpage Sever Extensions I believe. Again, there's no concern here for you running apache.


But ProxyRequests of a virtual host basis?  o_O
How do I find that out? I didn't touch anything that I know of
concerning this, that came in the RH9 CDs.

I don't know anything about the default RH httpd.conf file unfortunately. If you only see one ProxyRequests config setting in httpd.conf as you described earlier, you don't have it turned on for any virtual hosts. It also appears to be turned off in general. All of your log entries look pretty normal to me. Originally it appeared as though you might have an open proxy, which would have probably been undesirable!



Mike



-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux