[Dshield] Server

Glenn Jarvis gaj at uppergroove.ca
Sat Aug 20 00:53:42 GMT 2005


>
>
>12.44.172.92 - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
>> 
>> Accessing that directory is fine, but the /?M=A    , I have no idea what 
>> that is... 
>  
>
>
>In Apache, the web server will setup a basic index page if there is no
>'index.html' (or whatever you use for an index). This index, a simple
>file listing, can be sorted by adding the '?M=A' options and such. If
>you click on any of the column headings, these options will be added.
>
>So nothing malicious per se. Spiders may follow these links.
>
>Did you add the '....' to the client id? If not, this is suspect...
>  
>
No Johannes, I didn't add the '......'   I gather you are referring to 
the Windows NT; ........./1.0
I didn't alter any of the lines I submitted in my message.

>Overall, this looks like a distributed scan from a bot/search engine. I
>don't see any major problem here. They essentially just used a script to
>hit every page on your site. you may need to clamp down on some of your
>authentication if some of these files are supposed to be restricted.
>
Not restricted per say. I ran my own server here for about six months 
and then I transfered it to
a hosting company about 8 months ago. This is the first time I've seen 
this type activty.
 I thought the icon/   directory was for Awstats, but it isn't as it 
doesn't contain the graphic files
the individual was aiming for. Plus, the icon directory doesn't exist on 
my site. The activity that I
described went on for about 3 hours.
( Note that I left the reference to the gamealbum site to show normal 
access to my site).


I contacted the hosting company this afternoon in reference to it and 
they say it's totally normal. I
suppose maybe it is, but when you've never seen it before (and I've been 
reviewing months of logs),
 it tends to raise a red flag.

Glenn


-- 
Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.



More information about the list mailing list