Hits on my home machine - Website Analytics - Tracking and Logging forum at WebmasterWorld - WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

Hits on my home machine

Nobody should even know it exists

MatthewHSE

3:55 pm on May 24, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I've got a static IP for my home DSL connection. I also occasionally run Apache (actually Xammp) if I want to give temporary web access to some of my files. Apache is not running most of the time, and I certainly would not expect to see anyone (or anything) trying to access my web server since it's not something that I make known.

However, I just checked my Apache logs for the first time, and was disturbed to find some entries like this:

64.40.60.83 - - [17/Mar/2005:15:36:54 -0600] "SEARCH /\x90\x90" 414 364
64.40.60.83 - - [17/Mar/2005:15:37:19 -0600] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 401 517
64.40.60.70 - - [17/Mar/2005:19:10:50 -0600] "SEARCH /\x90\x90" 414 364
64.40.60.70 - - [17/Mar/2005:19:11:20 -0600] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 401 517

...where the "x90" portions go on for a very, very long line.

This looks like a targetted attack of some kind, looking for files that I fortunately don't have. As far as I know, the only way anyone would even know to try to access my home IP is by finding it in their own logs after I'd visited their site. However, I only visit "reputable" sites (weather.gov, mozilla.org, etc.) and I can't imagine that any of them are doing this.

Additionally, I've protected my web directory with .htaccess so it should be impossible for anyone to even gain the access they got without a valid username and password.

I guess my questions about this are numerous. I don't really understand what's been going on here. How might they have found my IP, how could they get past my password protection, and why would they be looking for these things? Is there anything I need to do to secure my server, and can they access my computer via my IP if I don't have Apache running?

I'll appreciate any information on this at all. I'm very puzzled by all this.

Thanks,

Matthew

Tapolyai

4:04 pm on May 24, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

google search for "_vti_bin/_vti_aut/fp30reg.dll"

This is the FrontPage Server Extension Sub-Component Buffer Overflow Vulnerability.

How might they have found my IP

IP scan. Have you searched Google?

how could they get past my password protection

They didn't. Have you searched Google?

why would they be looking for these things?

To exploit a whole in the FrontPage Server. Have you searched Google?

Is there anything I need to do to secure my server

Yes. you can make sure you run the latest version of all your softwares, on all devices. Turn off all unecessary services, and implement a strong firewall. Have you searched Google?

can they access my computer via my IP if I don't have Apache running?

Possibly, but not necessarily. Depends what you have running, and if "they" have installed any backdoors on your machine. Have you searched Google?

And for a final tip. Have you searched Google?

MatthewHSE

6:09 pm on May 24, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Yes, I searched Google! ;) Problem is I didn't quite know what terms to look for (like "IP scan") and thus couldn't seem to find any relevant results. I think your post will help me find most of my answers, but I'm still confused about the password protection. I did manage to find out that the 401 means they were unauthorized and didn't get access, and that the 414 means the request was too long and they didn't get access. So I feel better about that. But I still can't find any information on the 364 or 517. What might I "search Google" for to find out? ;) (I already tried searching on how to interpret Apache logs, but there's a lot to wade through and I haven't found the answers yet...)

Thanks,

Matthew

Span

6:20 pm on May 24, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

364 and 517 are the filesizes in bytes of your errorpages.. ;)

anar

11:32 pm on May 26, 2005 (gmt 0)

10+ Year Member

Per what it suggests, I am trying
<LimitExcept GET PUT POST>
deny from all
</LimitExcept>

in the httpd.conf (inside Directory tag)

Will let you know if it helps

[edited by: Brett_Tabke at 11:24 am (utc) on May 27, 2005]
[edit reason] please - double check the posting guidelines on blogs [/edit]

gregbo

9:34 pm on May 27, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

MatthewHSE,

For a complete description of the codes that are put out by Apache, you can read the HTTP RFC (2616). I believe this information is also in the Apache documentation. It may seem voluminous, but it's necessary to go through it all if you really want to understand how your web server works.

justin holton

3:21 am on May 29, 2005 (gmt 0)

10+ Year Member

Yeah, I wouldn't worry too much about it. As they said, they're not looking for machines running Apache. If it makes you feel any better though, I have a lot of those requests in my log files too. They are just scanning many different random IP addresses looking for a vulnerable server. Correct me if I'm wrong, but wasn't the MS patch for that released several years ago? Probably just a bunch of wannabes running some program they downloaded off of a filesharing network onto their parents computer.

moltar

4:03 am on May 29, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If you are on broadband with some popular ISP you get scans several times a minute. My local logs consist primarely of those scans. There is nothing to worry about.

Matt Probert

2:20 pm on May 29, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Someone has been "port scanning" you. Around the world millions of criminals do this everyday. The simple answer is install a firewall.

Matt