[CLUE-Tech] annoying attempts to compromise web server
Joseph A. Nagy, Jr.
jnagyjr at joseph-a-nagy-jr.us
Wed Oct 13 10:58:58 MDT 2004
On Wed, Oct 13, 2004 at 09:38:52AM -0600, Charles Oriez wrote the following:
> At 09:15 AM 10/13/2004, Bruce Ediger wrote:
>
> >On Wed, 13 Oct 2004, mike havlicek wrote:
> >
> >> of my linux boxes. Over the last 2 days or so apache
> >> has been logging (in access_log) attempts from a
> >> particular IP trying to "run" things like:
> >>
> >> 67.165.178.202 - - [13/Oct/2004:07:49:58 -0600] "GET
> >> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> >> HTTP/1.0" 404 972 "-" "-"
> >>
> >> every 30 to 40 minutes.
> >>
> >> Any suggestions on how to deal with this sort of
> >> thing?
> >
> >At one point, (during NIMDA's reign of terror) I put a file full of junk
> >under the document root directory, in a subdirectory matching what
> >NIMDA's HTTP requests asked for. I guess it used some of my outgoing
> >bandwidth to send junk bytes to various NIMDA's, but at least I had a
> >little
> >satisfaction.
> >
> >The other thing you could do is put a file in place that would give
> >back a DIR-like listing to the program in question. It might use up
> >a little bit more of the script kiddie's time, getting him/her/it to
> >look through the listing to decide if he/she/it had an exploit.
>
>
> or redirect it to microsoft.com so that microsoft could inform them that
> their machine is owned
>
> I'm wondering if something could be put in httpd.conf that would function
> as a honeypot
I used to use sugarplum to handle those, now I just ignore them (too lazy to
reset up sugarplum).
--
AIM: pres CTHULHU | ICQ: 18115568 | Yahoo: pagan_prince
Jabber: DarkKnightRadick@(jabber.org|amessage.at) | Libertarian @ Large
PGP: 0x642F7BDA | < http://groups.yahoo.com/group/tennesseans-for-badnarik/ >
< http://mc-luug.homelinux.org/mailman/listinfo/mc-luug >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20041013/e289ca36/attachment.bin
More information about the clue-tech
mailing list