Incidents
Re: strange http get requests in apache access logs Oct 17 2006 10:25AM
rowland onobrauche (rowland onobrauche legendplc com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

aldiones wrote:

> Could you please share how you prevented this from happening in
> your server?
>
> It would be greatly appreciated.
>
> Thanks!
>
> On 10/16/06, *rowland onobrauche *
> <rowland.onobrauche (at) legendplc (dot) com [email concealed]
> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]>> wrote:
>

>
>
> Aubs wrote:
>
>> Care to share with all? on the list - After all you did ask for
>> help :)
>
>> On 13/10/06, *rowland onobrauche* <
>> rowland.onobrauche (at) legendplc (dot) com [email concealed]
> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]>
>> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]
> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]>>> wrote:
>
>
>> Digital Ebola wrote:
>
>>> On 10/13/06, rowland onobrauche
>>> <rowland.onobrauche (at) legendplc (dot) com [email concealed]
> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]>
>>>
>> <mailto: rowland.onobrauche (at) legendplc (dot) com [email concealed]
> <mailto:rowland.onobrauche (at) legendplc (dot) com [email concealed]>>>
>>> wrote:
>
>
>>> Hi all.
>
>>> Im getting logs such as
>
>>> "GET
>>> http://www.escorts-etc.com/cgi-bin/ftop100/rankem.cgi?id=gagvault
>>> HTTP/1.0" 200 147 " http://www.gagvault.com/linkspage.html"
>>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
>>> In some of my httpd access logs, even though this type of site
>>> is not existant on the server. Anyone seen this before??
>
>>>>
>>>>
>> -
>>
> ------------------------------------------------------------------------
------
>
>> This List Sponsored by: Black Hat
>>>>
>> Attend the Black Hat Briefings & Training USA, July 29-August 3
>> in Las Vegas. World renowned security experts reveal tomorrow's
>> threats today. Free of vendor pitches, the Briefings are designed
>> to be pragmatic regardless of your security environment.
>> Featuring 36 hands-on training courses and 10 conference tracks,
>> networking opportunities with over 2,500 delegates from 40+
>> nations.
>>>>
>> http://www.blackhat.com -
>>
> ------------------------------------------------------------------------
------
>
>
>>>>
>>>>
>
>>> Are you running any type of proxy configuration?
>
>
>
>
>
>> No proxy, but someone has explained what the problem is.
>
>> thanks very much to all
>
>
> -
> ------------------------------------------------------------------------
------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in
> Las Vegas. World renowned security experts reveal tomorrow's
> threats today. Free of vendor pitches, the Briefings are designed
> to be pragmatic regardless of your security environment. Featuring
> 36 hands-on training courses and 10 conference tracks, networking
> opportunities with over 2,500 delegates from 40+ nations.
>
> http://www.blackhat.com -
> ------------------------------------------------------------------------
----
>
>
>
>
>
>
> Thanks to all for the help.
>
> I have since found that it was someone scanning for an open proxy.
>
>
> regards
>
> rowlando

-
------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless
of your
security environment. Featuring 36 hands-on training courses and 10
conference
tracks, networking opportunities with over 2,500 delegates from 40+
nations.

http://www.blackhat.com
-
------------------------------------------------------------------------
------

> -- Good design adds value faster than it adds cost.

All i could do was block the ip from the whole network and installed
mod_security on this particular server.

rowlando

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFNK+Hn71Wg8vs0SURAqVwAJ9idgF6L8KBSnIBjtYuaZ0geZmVkQCgoe7N
jObgBm3CqkASSUBvRj3tkFY=
=Vp2w
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus