[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Funny GETs in www logs.
On Wed, 2008-03-05 at 11:09 +0000, Adam Funk wrote:
> My www.ducksburg.com/scripts/ directory doesn't have an index page, so
> Apache just gives the "standard list" of its contents. Occasionally
> I see weird sequences such as the following in my www logs:
>
> 22:29:24 GET /
> 22:29:24 GET /scripts/
> 22:29:24 GET /scripts/?C=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F;O=A
> 22:29:25 GET /scripts/?C=http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F;O=A
> 22:29:25 GET /scripts/?C=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F;O=A
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F
> 22:29:26 GET /scripts/photofilename.perl
> 22:29:26 GET /scripts/?C=M;O=A
> 22:29:26 GET /scripts/?C=N;O=A
>
> That's a real example, edited down for readability. Those entries all
> come from one remote host and give the user-agent "Mozilla/4.0
> (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR
> 1.1.4322)".
>
> What does this mean? Is this a bot looking for some kind of
> vulnerability to post web-spam?
>
I couldn't say which vulnerability it is looking for but it does seem to
be looking for one. The urls it hits will probably be ones it controls
and it will be looking for either your script to redirect the user to
the url or for it to get content from that url, either way it can
control your site.
I'd turn off directory indexing if you don't need it, add a custom index
page with links to the scripts if you want people to be able to find
them easily, that would obscure it from the bots slightly.
Robin
_______________________________________________
Sheffield Linux User's Group
http://www.sheflug.org.uk/mailfaq.html
GNU - The choice of a complete generation