[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Funny GETs in www logs.

To: sheflug@xxxxxxxxxxxxxx
Subject: Re: [Sheflug] Funny GETs in www logs.
From: Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 05 Mar 2008 23:22:56 +0000
Delivered-to: sheflug@meiring.org.uk
List-help: <mailto:sheflug-request@sheflug.org.uk?subject=help>
List-id: <sheflug_sheflug.org.uk.sheflug.org.uk>
List-post: <mailto:sheflug@sheflug.org.uk>
List-subscribe: <http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=unsubscribe>
Organization: Freedom Software
Reply-to: robin@xxxxxxxxxxxxxxxxxxxxx, sheflug@xxxxxxxxxxxxxx
Sender: sheflug-bounces@xxxxxxxxxxxxxx

On Wed, 2008-03-05 at 11:09 +0000, Adam Funk wrote:
> My www.ducksburg.com/scripts/ directory doesn't have an index page, so
> Apache just gives the "standard list" of its contents.  Occasionally
> I see weird sequences such as the following in my www logs:
> 
> 22:29:24    GET / 
> 22:29:24    GET /scripts/ 
> 22:29:24    GET /scripts/?C=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F;O=A 
> 22:29:25    GET /scripts/?C=http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F;O=A 
> 22:29:25    GET /scripts/?C=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F;O=A 
> 22:29:25    GET /scripts/?C=M;O=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F 
> 22:29:25    GET /scripts/?C=M;O=http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F 
> 22:29:25    GET /scripts/?C=M;O=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F 
> 22:29:26    GET /scripts/photofilename.perl 
> 22:29:26    GET /scripts/?C=M;O=A 
> 22:29:26    GET /scripts/?C=N;O=A
> 
> That's a real example, edited down for readability.  Those entries all
> come from one remote host and give the user-agent "Mozilla/4.0
> (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR
> 1.1.4322)".
> 
> What does this mean?  Is this a bot looking for some kind of
> vulnerability to post web-spam?
> 
I couldn't say which vulnerability it is looking for but it does seem to
be looking for one. The urls it hits will probably be ones it controls
and it will be looking for either your script to redirect the user to
the url or for it to get content from that url, either way it can
control your site.

I'd turn off directory indexing if you don't need it, add a custom index
page with links to the scripts if you want people to be able to find
them easily, that would obscure it from the bots slightly.

Robin



_______________________________________________
        Sheffield Linux User's Group
  http://www.sheflug.org.uk/mailfaq.html
 GNU - The choice of a complete generation

References:
- [Sheflug] Funny GETs in www logs.
  - From: Adam Funk

Prev by Date: Re: [Sheflug] Funny GETs in www logs.
Next by Date: [Sheflug] ShefLUG - March Meeting
Previous by thread: Re: [Sheflug] Funny GETs in www logs.
Next by thread: [Sheflug] ShefLUG - March Meeting
Index(es):
- Date
- Thread