how serious is this 'file sniffing' ?

spezticle · 06-04-2010, 05:38 PM

i'm in the finishing stages of setting up
a bunch of servers:
LAMP, a mailserver, etc, and in my access logs, i'm getting things like the following entries. copied/pasted directly from apache's access.log

i'm doing this to learn apache and the process is easy going for me, but unfortunately self teaching leaves me prime target for learning security mishaps and dangers the hard way.

what insight can anyone give me towards this sort of activity?

Quote:

92.243.17.132 - - [03/Jun/2010:18:33:38 -0500] "GET /roundcubemail/README HTTP/1.1" 404 474 "-" "Morfeus strikes again."
92.243.17.132 - - [03/Jun/2010:18:33:38 -0500] "GET /rc/README HTTP/1.1" 404 467 "-" "Morfeus strikes again."
92.243.17.132 - - [03/Jun/2010:18:33:38 -0500] "GET /webmail/README HTTP/1.1" 404 471 "-" "Morfeus strikes again."
92.243.17.132 - - [03/Jun/2010:18:33:38 -0500] "GET /roundcube/README HTTP/1.1" 404 471 "-" "Morfeus strikes again."
92.243.17.132 - - [03/Jun/2010:18:33:39 -0500] "GET /mail/README HTTP/1.1" 404 468 "-" "Morfeus strikes again."
92.243.17.132 - - [03/Jun/2010:18:33:39 -0500] "GET /README HTTP/1.1" 404 465 "-" "Morfeus strikes again."

in this instance, you notice the useragent hack changed to morfeus strikes again. sidenote: how does one do this?

Quote:

61.183.15.9 - - [04/Jun/2010:14:22:25 -0500] "GET http://www.wantsfly.com/prx2.php HTTP/1.0" 404 273 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
135.196.106.146 - - [04/Jun/2010:14:46:03 -0500] "GET //phpScheduleIt/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:03 -0500] "GET //phpscheduleit/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:03 -0500] "GET //sched/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:03 -0500] "GET //Scheduler/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:04 -0500] "GET //scheduler/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:04 -0500] "GET //scheduleit/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:04 -0500] "GET //schedule/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:05 -0500] "GET //phpschedule/ HTTP/1.1" 404 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
135.196.106.146 - - [04/Jun/2010:14:46:05 -0500] "GET // HTTP/1.1" 403 275 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

In this one i really doubt he's using win98. i'm guessing it's wine or a virtualbox?

g0su · 06-04-2010, 07:35 PM

This isn't that serious. If you have a website your going to get plenty of automated attempts to find hidden files and vulnerabilities. As far as spoofing the user agent, it's very simple. It's not a hack it's just part of the HTTP protocol. Your allowed to set your user agent to anything you wish. You can set your user agent in a HTTP get request with the following string ""User-agent: MyUserAgent 1.0".

I recommend reading this tutorial on HTTP.
http://www.jmarshall.com/easy/http/