AW: [suse-security] Strange apache log entry
You're right, a little paranoia is appropriate in order to secure a network. I am worried about security and I would never use IIS or install anything like Frontpage extensions for any other web server. But I wouldn't worry if a logfile entry points to _vti_<something>, which is either a user, who entered the wrong server or, if it's a hacker, a script, scanning a whole bunch of web-servers for known security holes. If it is a real human cracker (!= script kiddy), who tries to crack just this single system, he/she will find a way into it. -----Ursprüngliche Nachricht----- Von: Boris Lorenz [mailto:bolo@lupa.de] Gesendet: Donnerstag, 31. Mai 2001 16:19 An: suse-security@suse.com Betreff: RE: [suse-security] Strange apache log entry On 31-May-01 Peer Stefan wrote:
Ok, Microsoft Frontpages has several security flaws, but that does not automatically mean that every request for _vti_<whatever> is done by a hacker or a script-kiddy.
Well, not *every* request, but there are *some*. That´s enough for being worried, isn´t it.
Have a look at the browser the client is using, if it's "MSFrontPage/X.Y" then please don't worry. But do worry if it's the only request for a link containing _vti* or if there is only one client (if it's not a proxy) requesting this url.
Watch your system, but don't worry to much.
IMHO such suggestions are somewhat misleading. At last, this is a security mailing list we´re posting in, and a certain amount of paranoia seems to be appropriate considering the current lack of (inter)network security we´re confronted with all day. Sometimes I wish some of ´dem (security-)admins would be just a little more agressive towards security incidents of *any* kind, even if they (the incidents) would end up being harmless. Sorry for the rant...;)
regards, Stefan Peer
-----Ursprüngliche Nachricht----- Von: Soeren Todt [mailto:sworn@gmx.net] Gesendet: Donnerstag, 31. Mai 2001 15:30 An: suse-security@suse.com; Thorsten Marquardt Betreff: Re: [suse-security] Strange apache log entry
Hi,
----- Original Message ----- From: "Thorsten Marquardt" <thom@kaupp.chemie.uni-oldenburg.de> To: <suse-security@suse.com> Sent: Thursday, May 31, 2001 1:45 PM Subject: [suse-security] Strange apache log entry
my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and similar.
Is this a kind of hacker attack? [...]
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux --- --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
From: "Peer Stefan" <stefan.peer@tiwag.at> If it is a real human cracker (!= script kiddy), who tries to crack just this single system, he/she will find a way into it.
Now that is rather defeatist, a real cracker has to way up the cost/benefit, if you have battened up all the exploits with scripts, have minimised the services they can connect to, and are tracing back their failed attempts, you can make it more trouble than it's worth. Their attempts will alert you to their previous victims, and they are likely to loose more boxes than they gain by attacking your machine. Unless they have a particular reason, or an axe to grind against you, logic dictates they move on to a softer target, as if they do break in, you will just pull the box and reinstall. I think if you had said, network, I'd be more inclined to agree, it is very difficult to close all the holes on a variety of systems offering large number of services. Once they're in they can probably add back doors faster than you can close them, and usually management are relectant to shut down the entire network for any length of time in response to such an incident. Of course if it becomes 'personal' then DoS attacks become a problem, but also you could try a Linux Virtual Server set up and learn their tricks and watch them operate in a sacraficial environment. Rob
participants (2)
-
Peer Stefan -
Robert Davies