LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-29-2004, 07:07 PM   #1
cambie
Member
 
Registered: Jul 2004
Posts: 90

Rep: Reputation: 15
httpd logs - what to do?


I have Fedora Core 2 installed on a PC that i use as a file server for my home network. I've also got an http server running on it, not really to serve any type of website, but occasionally when sharing photos, I like to give people an http address to view them rather than attaching huge files to an email. Anyway, for this purpose, I leave httpd running. I've started seeing interesting stuff in my log files, which to me looks like people who have scanned my dsl subnet and searched for open port 80. Then they send invalid requests, assumingly to take down my machine or some other reason. What should I do about these logs? Can I contact the abuse department of their ISP? I've nslookup'd some of their IP's, and most of them seem to be other broadband users, mostly US Ip addresses, California, TX, etc.

Also, and I at risk to any of the exploits these people may be trying to take advantage of? I'm kind of thinking they're looking for IIS servers, not my box.

Any advice is appreciated, and I hope this is an ok forum to post this, I didn't know where else to put it.
 
Old 10-29-2004, 07:37 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
Do you get about 50 lines of this:

Code:
x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90
If so, that is an IIS exploit, and is really nothing to worry about on an Apache server.

You could report them if you wanted to, but in all honestly, it is unlikely anybody you contact it going to take it seriously.
 
Old 10-29-2004, 07:38 PM   #3
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 269Reputation: 269Reputation: 269
A snippet of the logs would help but I'm sure its those exploits looking for a vulnerable IIS server.. especially if you see something along the lines of this in your logs:

70.112.10.45 - - [25/Oct/2004:02:48:06 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02.... (keeps repeating this same string over and over)

or anything that is looking for an exe type file, etc.
 
Old 10-29-2004, 07:51 PM   #4
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
By the way, here is a method to put all those sort of things into their own log, so they don't clog up your legitimate messages:

Add these lines to your httpd.conf

Code:
CustomLog /var/log/apache/access_log common env=good
CustomLog /var/log/apache/crack_log common env=!good

<IfModule mod_setenvif.c>
SetEnvIf Request_Method "HEAD" good
SetEnvIf Request_Method "GET" good
SetEnvIf Request_Method "POST" good
SetEnvIf Request_URL "/script" !good
SetEnvIf Request_URL "/scripts" !good
SetEnvIf Request_URL "/default.ida" !good

</IfModule>
That should put all of those IIS exploit messages in their own log, called "crack_log". You could also just dump them to /dev/null, but I like to keep them around, just so I can see what some fool has been trying to do.
 
Old 10-29-2004, 10:15 PM   #5
cambie
Member
 
Registered: Jul 2004
Posts: 90

Original Poster
Rep: Reputation: 15
awesome, thanks for the tips guys! I was going to post one of the logs, but didn't want the bottom scroll bar to go on for miles, so I held off, but yes those are exactly the logs I've been seeing. I'm a little upset that I can't get these little punks for the crap their pulling, but then again, I was 15 once too. I guess I'll keep them in their own log and laugh at them occasionally. Thanks again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
httpd weird logs dominant Linux - Security 3 02-08-2005 05:42 AM
Firefox logs user out? Where are error logs? case1984 Linux - General 0 10-09-2004 02:22 PM
service httpd status, results in httpd dead but subsys locked squadja Red Hat 2 09-11-2004 10:31 PM
Webalizer -c /etc/config1.conf Returns /etc/httpd/logs MadTurki Linux - General 1 03-31-2004 08:33 AM
httpd chokes on ScriptAlias line in Apache httpd.conf lhoff Linux - Software 1 07-14-2003 10:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration