[Dshield] Server

Johannes B. Ullrich jullrich at euclidian.com
Fri Aug 19 13:15:46 GMT 2005


> 12.44.172.92 - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
> 
> Accessing that directory is fine, but the /?M=A    , I have no idea what 
> that is... 

In Apache, the web server will setup a basic index page if there is no
'index.html' (or whatever you use for an index). This index, a simple
file listing, can be sorted by adding the '?M=A' options and such. If
you click on any of the column headings, these options will be added.

So nothing malicious per se. Spiders may follow these links.

Did you add the '....' to the client id? If not, this is suspect...

> How do I know the part above isn't normal? Because some of the images are not actually used on the site anymore.
> Now, I don't think I'm being paranoid, but I have a feeling someone literally got into the server, unauthorized. I use a hosting
> company, but before I contact them, I wanted to absolutely sure about what I'm looking at and my conclusions.

Overall, this looks like a distributed scan from a bot/search engine. I
don't see any major problem here. They essentially just used a script to
hit every page on your site. you may need to clamp down on some of your
authentication if some of these files are supposed to be restricted.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050819/ece17e93/signature.bin


More information about the list mailing list