homepage Welcome to WebmasterWorld Guest from 54.161.147.106
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache Local Host Security
Is my machine a security risk
ukgimp




msg:1514749
 1:52 pm on Nov 15, 2002 (gmt 0)

I have been developing locally using apache and no one else has access or so I thought. I had a quick look in the logs and find instances of other IP's requesting files

202.9.178.30 - - [10/Oct/2002:16:51:53 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 403 -

Is this malicious? Is so what do you recommend

Concerned

 

jdMorgan




msg:1514750
 3:28 pm on Nov 15, 2002 (gmt 0)

ukgimp,

I get thousands of these per week on my sites. This is a Code Red or Nimda-infected machine trying to access your web server and propagate itself. The 403 response indicates that you have successfully blocked the attempt. Since your server is Apache, it's not susceptible to these worms anyway.

Blocking any request for the file "cmd.exe" catches 95% of these accesses. The rest can also be blocking using mod_rewrite in .htaccess on Apache with something like this:

# Block MS IIS server security exploits
RewriteRule \.ida$ - [F]
RewriteRule /cmd\.exe$ - [F]
RewriteRule /root\.exe$ - [F]
RewriteRule /shell\.exe$ - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]

There are a few Apache security problems. A site search here may turn up a thread that (I think) I saw recently here on WebmasterWorld.

These cmd.exe accesses are more of a bother (bandwidth leak) than a worry on Apache.

Jim

dingman




msg:1514751
 4:51 pm on Nov 15, 2002 (gmt 0)

If you are using Linux, you can also protect yourself somewhat against as yet unknown vulnerabilities in your network daemons with iptables (or ipchains on an older kernel). For example, nobody outside the house needs to reach the Apache server on my development box, so I closed port 80 to packets originating outside the house. In fact, I set a general policy of all ports being closed and then just opened the ones I use. It's not an excuse to ignore vulnerability alerts, but it does make you just that much safer.

I'm sure the same is possible for Windows machines, but I understand that to be an extra-cost option,

DaveAtIFG




msg:1514752
 1:16 am on Nov 16, 2002 (gmt 0)

More info is at:
[webmasterworld.com...]
[webmasterworld.com...]
and several other threads.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved