[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] stupid question to the apache experts
- Subject: [ale] stupid question to the apache experts
- From: greg at turnstep.com (greg at turnstep.com)
- Date: Thu, 23 Aug 2001 07:44:34 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Going through my log just now and I see a GET to a fully qualified
> url that is in no way related to my site. Anyone explain to me how
> this could happen? A screwed up dns? Why wouldn't this show up in
> my error_log?
Could be the Code Red [123] Worm. If the entry is a request for
"default.ida" with a whole bunch of garbage afterwards, it's
the worm. Of course, as an Apache user you have nothing at
all to worry about. :) Check the fourth to last field for the code
that the browser returned. If it's a 400 series, then you should
also have a line in the error_log. (This code comes right after
the GET request.) For example, here are two recent entries
from my access_log:
(the actual requests are hundreds of characters long, trimmed
to save space)
207.197.158.22 - - [23/Aug/2001:03:50:38 -0400]
"GET /default.ida?XXX%u909%u00=a HTTP/1.0" 403 273 "-" "-"
212.213.219.229 - - [23/Aug/2001:07:01:26 -0400]
"GET /default.ida?XXX%u00=a HTTP/1.0" 404 1589 "-" "-"
Both have 400 error codes (access denied and file not found) so show up in
the error log as well. In the future, please
go ahead and post the relevant line from the access_log
to the list (edited for privacy if you wish), as all of this
is only a guess. :)
Greg Sabino Mullane
- ----------------------------------------------------------------
/~\ The ASCII
\ / Ribbon Campaign *greg at turnstep.com*
X Against HTML PGP Key: 0x14964AC8
/ \ Email! 200108220742
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html
iQA/AwUBO4TsgLybkGcUlkrIEQJoWQCeOVz9JHjUDuhA+aJgbYXiGmJdymc
AoKtB
TXfDJxvsZEwOvifu0miYnq7n
=PxKj
-----END PGP SIGNATURE-----
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.