[dampeoples]

i just learned how to set up my webserver, forward ports, all that fun stuff. I also learned how to find my log. About 90% of my log is lookign for /winnt/system32/cmd.exe then some http1.0 and some numbers. I've been told that this is a Windows virus trying to infect my machine, and that it's harmless. What would happen if I made a /winnt/system32/ folder and placed, say a .jpg i renamed to cmd.exe in there? Would it crash the ofending computer (hopefully), or waste cycles of mine serving him a .jpg?
I also see instances where Carrara Studio and BB Edit Lite have some entries in the log, I can post them if you like, but I'm confused as to why these applications left a log. Thanks,

[Rainy Day]

Yep, those system32 entries are the bad guys trying to co-opt your Windoze server (which, of course, you don't have, so you're safe). Yet another reason not to own a Wintel box.

No, putting a jpeg out there will only waste CPU cycles for you. A better approach is to disallow access for such attempts by adding the following to an Apache configuration file*:

Code:
# Block Code Red attempts
<LocationMatch "/default.ida$">
    Order Allow,Deny 
    Deny from all
</LocationMatch>

# Block Nimda, Sumthin, root.exe, system32 attempts
<LocationMatch "^/(msadc|MSADC|sumthin|root\.exe|system32)">
    Order Allow,Deny 
    Deny from all
</LocationMatch>

# Block any attempt to call an MS-DOS .exe file
<LocationMatch "\.exe$">
    Order Allow,Deny 
    Deny from all
</LocationMatch>

# Block cgi-bin attempts
<LocationMatch "^/cgi-bin">
    Order Allow,Deny 
    Deny from all
</LocationMatch>

SetEnvIfNoCase Request_URI /sumthin$		doNotLog
SetEnvIfNoCase Request_URI /default.ida$	doNotLog
SetEnvIfNoCase Request_URI /msadc$		doNotLog
SetEnvIfNoCase Request_URI \.exe$		doNotLog
SetEnvIfNoCase Request_URI /system32$		doNotLog
SetEnvIfNoCase Request_URI \.gif$		doNotLog
SetEnvIfNoCase Request_URI \.jpg$		doNotLog
SetEnvIfNoCase Request_URI \.jpeg$		doNotLog
SetEnvIfNoCase Request_URI \.png$		doNotLog
SetEnvIfNoCase Request_URI \.css$		doNotLog
SetEnvIfNoCase Request_URI favicon\.ico$	doNotLog

CustomLog "/private/var/log/httpd/access_log" common env=!doNotLog

Note: The last part will prevent an entry in your access log when an attack is attempted, but won't prevent an entry from showing in your error log.

Also note: The blue colored section is unrelated, but i included it anyhow. It prevents entries for graphic files, style sheets, and favorites icon from showing up in your log files, which usually adds a lot of clutter (and bloat) but no useful information. If you want to log these items (although i can't imagine why), omit the section in blue.

You may need to omit the fuchsia colored section if you use CGI's.

As for the part about Carrara Studio and BB Edit Lite, you'll have to post those log entries; i have no idea what you're talking about on that one!
_______________________________________________
Footnotes:
* You're better off not modifying httpd.conf, but rather making your changes in a separate file stored in /private/etc/httpd/users/

Notice the last line of Apple's standard httpd.conf file:

Include /private/etc/httpd/users

That's intended to load http.conf customizations for individual users on your Mac. What it does, effectively, is append every file in the directory /private/etc/httpd/users/, in alphabetical order, to your /etc/httpd/httpd.conf file. So if you place a file containing only the customizations you would otherwise make to /etc/httpd/httpd.conf in the directory /private/etc/httpd/users/, your customizations will always be in effect without ever editing your /etc/httpd/httpd.conf file, and they won't break with each system update. Slick, eh?

Important safety tip: Every file in /private/etc/httpd/users/ is appended to your /etc/httpd/httpd.conf file, even files with suffixes like ".bak", so keep your backup files in another directory, else they are likely to override the changes you're making in your primary file (e.g. my.httpd.conf.bak would load after my.httpd.conf, which might undo the edits you've made and send you off chasing your tail for hours while trying to figure out why the changes you're making don't seem to work properly -- of course i was never caught by this snare! ).

[dampeoples]

Wow! Thanks for the help! Here's the excerpt with Carrara and BB Edit:

[Rainy Day]

Well that one is a head scratcher. That's not normal Apache fare. Looks like a plist somehow got into your web log file. My guess is it was appended to your web log by an application other than Apache. What are the permissions on your log files? They should look something like this:

Code:
ll /private/var/log/httpd
-rw-r--r--  1 root  wheel  17496 Feb 18 21:10 access_log
-rw-r--r--  1 root  wheel  20085 Feb 19 11:38 error_log

About the only other way that might get in there is if it were pasted into the URL box on a browser (but i don't think that would work: too many characters, and the returns and spaces would be converted to % notation).

If your permissions aren't like the example above, you should tighten them up. You say you have a couple entries like this in the log? Or more than that? My bet is that Apache didn't put them there.

[dampeoples]

Hi,
I'm not sure how to find the permissions for the log files, but I ran the security update tonight, then I ran repair permissions on disk utility, so hopefully that helped. This was the only entry like that in the log too, the rest look like normal happenings. Thanks for your help, this was definately weird!

[Rainy Day]

The permissions in my example above were done from the terminal, but you could also get at them from 10.2's Get Info dialog.

Edit: The owner should be "root" (or "system" from Get Info), and the only one with write permission.

[awaspaas]

Might files be overlapping or overwriting eachother? Have you run Disk First Aid lately?