httpd logs

cambie · 10-29-2004, 07:07 PM

I have Fedora Core 2 installed on a PC that i use as a file server for my home network. I've also got an http server running on it, not really to serve any type of website, but occasionally when sharing photos, I like to give people an http address to view them rather than attaching huge files to an email. Anyway, for this purpose, I leave httpd running. I've started seeing interesting stuff in my log files, which to me looks like people who have scanned my dsl subnet and searched for open port 80. Then they send invalid requests, assumingly to take down my machine or some other reason. What should I do about these logs? Can I contact the abuse department of their ISP? I've nslookup'd some of their IP's, and most of them seem to be other broadband users, mostly US Ip addresses, California, TX, etc.

Also, and I at risk to any of the exploits these people may be trying to take advantage of? I'm kind of thinking they're looking for IIS servers, not my box.

Any advice is appreciated, and I hope this is an ok forum to post this, I didn't know where else to put it.

MS3FGX · 10-29-2004, 07:37 PM

Do you get about 50 lines of this:

Code:

x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90

If so, that is an IIS exploit, and is really nothing to worry about on an Apache server.

You could report them if you wanted to, but in all honestly, it is unlikely anybody you contact it going to take it seriously.

trickykid · 10-29-2004, 07:38 PM

A snippet of the logs would help but I'm sure its those exploits looking for a vulnerable IIS server.. especially if you see something along the lines of this in your logs:

70.112.10.45 - - [25/Oct/2004:02:48:06 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02.... (keeps repeating this same string over and over)

or anything that is looking for an exe type file, etc.

MS3FGX · 10-29-2004, 07:51 PM

By the way, here is a method to put all those sort of things into their own log, so they don't clog up your legitimate messages:

Add these lines to your httpd.conf

Code:

CustomLog /var/log/apache/access_log common env=good
CustomLog /var/log/apache/crack_log common env=!good

<IfModule mod_setenvif.c>
SetEnvIf Request_Method "HEAD" good
SetEnvIf Request_Method "GET" good
SetEnvIf Request_Method "POST" good
SetEnvIf Request_URL "/script" !good
SetEnvIf Request_URL "/scripts" !good
SetEnvIf Request_URL "/default.ida" !good

</IfModule>

That should put all of those IIS exploit messages in their own log, called "crack_log". You could also just dump them to /dev/null, but I like to keep them around, just so I can see what some fool has been trying to do.

cambie · 10-29-2004, 10:15 PM

awesome, thanks for the tips guys! I was going to post one of the logs, but didn't want the bottom scroll bar to go on for miles, so I held off, but yes those are exactly the logs I've been seeing. I'm a little upset that I can't get these little punks for the crap their pulling, but then again, I was 15 once too. I guess I'll keep them in their own log and laugh at them occasionally. Thanks again!