Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-26-2002, 11:13 AM
|
#1
|
Member
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35
Rep:
|
Security issue..
Hello!
I have just started using my pc as a server. I run Apache under Mandrake 8.1
I have a concern about security: opening my log file, I noticed several "attempts", as the following:
==
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
==
Can you tell me which is the easisest way to avoid this attempts....?
Thanks in advance!
Marco
|
|
|
04-26-2002, 12:31 PM
|
#2
|
Senior Member
Registered: Nov 2001
Location: Wa. State
Distribution: Slackware
Posts: 1,261
Rep:
|
Well, if it is what it looks like and someone is trying to use get to execute the cmd.exe command to do something on your system, then you wanna setup a firewall if you don't have one so people can't find or use any open ports.
|
|
|
04-29-2002, 05:27 AM
|
#3
|
Member
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35
Original Poster
Rep:
|
Thanks!
I have installed the 'standard' firewall included into the Mandrake distribution. My (newbie) question is : since the quoted attempt are continuing (I guess it's an automati procedure), can I feel a bit more secure with the firewall working? Shoud I do something else to protect my site?
Thanks in advance,
Marco
|
|
|
04-29-2002, 03:46 PM
|
#4
|
Senior Member
Registered: Nov 2001
Location: Wa. State
Distribution: Slackware
Posts: 1,261
Rep:
|
If it is some automated task, i'd find out what it is just to make myself feel better. As for a firewall, ANY type of firewall is better than nothing, so yeah, i'd feel better. It depends on how secure you wanna feel as to what you setup for a firewall though.
|
|
|
04-29-2002, 05:03 PM
|
#5
|
Member
Registered: Jun 2001
Location: Fairfax, California
Distribution: RH 9.0, RH 7.3, Mandrake 8.0
Posts: 986
Rep:
|
Marcoc,
The messages in your log are indicative of a scan by the Nimda worm, which is probing for MS IIS servers. Since you're running Apache on Linux, there's no threat to your machine.
|
|
|
04-30-2002, 05:13 AM
|
#6
|
Member
Registered: Mar 2002
Location: Rome, Italy
Distribution: Mandrake 10.1 Community, Suse 9.2, Fedora Core 2
Posts: 35
Original Poster
Rep:
|
Quote:
Originally posted by DMR
Marcoc,
The messages in your log are indicative of a scan by the Nimda worm, which is probing for MS IIS servers. Since you're running Apache on Linux, there's no threat to your machine.
|
Many thanks to all for your kind replies
I'd have another question: is it possible to tell the system not to write those access to "access_log" , in order to leave the file "clean"? (just happy if you can point me to some docs..)
Marco
|
|
|
05-01-2002, 01:30 AM
|
#7
|
Member
Registered: Apr 2002
Location: Nyc
Distribution: Gentoo
Posts: 127
Rep:
|
i get shit loads of those in my logs daily. Nothing to worry about the scipt kiddie thinks your running iis
|
|
|
05-01-2002, 05:12 AM
|
#8
|
Member
Registered: Jun 2001
Location: Fairfax, California
Distribution: RH 9.0, RH 7.3, Mandrake 8.0
Posts: 986
Rep:
|
Quote:
Originally posted by marcoc
is it possible to tell the system not to write those access to "access_log" , in order to leave the file "clean"? (just happy if you can point me to some docs..)
|
There might be (probably is) a way, but off the top of my head I don't know...
|
|
|
05-01-2002, 07:14 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
#!/bin/sh
# this script is /usr/sbin/clearlogtext
# courtesy of comp.os.linux.security
# YMMV
if [ $# != 2 ] ; then
echo "syntax: $0 logfile text"
echo "example: /usr/sbin/clearlogtext /var/log/httpd/access_log \.exe"
else
awk !/$2/{print} $1 > t;>$1;cat t > $1; rm t
fi
|
|
|
All times are GMT -5. The time now is 02:43 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|