[CLUE-Tech] annoying attempts to compromise web server
Charles Oriez
coriez at oriez.org
Wed Oct 13 09:38:52 MDT 2004
At 09:15 AM 10/13/2004, Bruce Ediger wrote:
>On Wed, 13 Oct 2004, mike havlicek wrote:
>
> > of my linux boxes. Over the last 2 days or so apache
> > has been logging (in access_log) attempts from a
> > particular IP trying to "run" things like:
> >
> > 67.165.178.202 - - [13/Oct/2004:07:49:58 -0600] "GET
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 972 "-" "-"
> >
> > every 30 to 40 minutes.
> >
> > Any suggestions on how to deal with this sort of
> > thing?
>
>At one point, (during NIMDA's reign of terror) I put a file full of junk
>under the document root directory, in a subdirectory matching what
>NIMDA's HTTP requests asked for. I guess it used some of my outgoing
>bandwidth to send junk bytes to various NIMDA's, but at least I had a little
>satisfaction.
>
>The other thing you could do is put a file in place that would give
>back a DIR-like listing to the program in question. It might use up
>a little bit more of the script kiddie's time, getting him/her/it to
>look through the listing to decide if he/she/it had an exploit.
or redirect it to microsoft.com so that microsoft could inform them that
their machine is owned
I'm wondering if something could be put in httpd.conf that would function
as a honeypot
--
coriez at oriez.org 39 34' 34.4"N / 105 00' 06.3"W
"Drag God into politics, and you'll ruin his reputation in no time." -
Molly Ivins
More information about the clue-tech
mailing list