[H-GEN] weird web server logs

[David Seikel]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

 --- Tony Nugent <tony at linuxworks.com.au> wrote: 
> 
> This is an obvious "root-access" attempt to exploit problems with
> vulnerable versions of m$-IIS.
> 
> The full first and last log of an event is recorded here to
> illustrate the total time (10 seconds).  Below that is a summary of
> the "file not found" errors.  This can happen several times/day,
> from different IPs, and like this one the src IP does not resolve.

<snip>
 
> I'd really like to have web server outright refuse to respond to
> these sorts of queries... is possible to get apache to automatically
> block (or ignore) IPs that do this - especially not to respond with
> any error message (ie, ignore the request)?

This is the most common web server exploit attempt on the net, and has been
for years.  If you trace these back, you will find that they tend to come
from dial up and university accounts.  Script kiddies.  Blocking the IP's
will do more harm than good, as the script kiddie is likely to be using a
dynamic IP that is used by lots of other dial up customers / uni students. 
Since the file is not found, and the request is made by a script, not much
point in reconfiguring your web server.  The log entries are bigger than
the bandwidth used, so there isn't any point.  If you actually operate a MS
server, then there is a real problem.



http://mobile.yahoo.com.au - Yahoo! Mobile
- Exchange IMs with Messenger friends on your Telstra or Vodafone mobile phone.

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/