[Dshield] Some strangeness in the Apache logs... anyone know about this?

Johannes Ullrich jullrich at euclidian.com
Thu Oct 10 22:03:44 GMT 2002

On Thu, 10 Oct 2002 12:56:38 -0700
John Draper <crunch at shopip.com> wrote:

> I'm seeing a number of GET /NULL in my Apache logs. Not /NULL.xxx, just
> /NULL. Does anyone know what these are?

Interesting... any followup attempts after they do this? I would
suspect that they try to get to the server signature via error
page that may be displayed. As by now, people probably got
IDS signatures setup for the 'HTTP 1.1 without hostname' trick,
this may be just another way....

Of course, it would also be a broken spider that missuses a 'NULL' 
some database may return.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021010/ed15ab99/attachment.bin

More information about the list mailing list