[CLUE-Tech] annoying attempts to compromise web server

[Bruce Ediger]

On Wed, 13 Oct 2004, mike havlicek wrote:

> of my linux boxes. Over the last 2 days or so apache
> has been logging (in access_log) attempts from a
> particular IP trying to "run" things like:
>
> 67.165.178.202 - - [13/Oct/2004:07:49:58 -0600] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 972 "-" "-"
>
> every 30 to 40 minutes.
>
> Any suggestions on how to deal with this sort of
> thing?

At one point, (during NIMDA's reign of terror) I put a file full of junk
under the document root directory, in a subdirectory matching what
NIMDA's HTTP  requests asked for.  I guess it used some of my outgoing
bandwidth to send junk bytes to various NIMDA's, but at least I had a little
satisfaction.

The other thing you could do is put a file in place that would give
back a DIR-like listing to the program in question.  It might use up
a little bit more of the script kiddie's time, getting him/her/it to
look through the listing to decide if he/she/it had an exploit.