404 errors /_vti_bin/ and /MSOffice/

Forum Moderators: DixonJones

Message Too Old, No Replies

404 errors /_vti_bin/ and /MSOffice/

any way to prevent these on apache server?

Reid

4:30 pm on Jun 27, 2005 (gmt 0)

I get lots of 404's for
/_vti_bin/owssrv.dll
/MSOffice/cltreq.asp

These are FP files but I have apache
Browsers are requesting these all the time.
Any way to deal with it or just let the 404 errors pile up?

moltar

4:42 pm on Jun 27, 2005 (gmt 0)

Those are not browsers, they are vulnerability scanner bots/viruses. They don't know you are running Apache before requesting at least one page off your server. They are hunting unpatched IIS servers.

larryhatch

4:43 pm on Jun 27, 2005 (gmt 0)

Hi Reid: I see those all the time.
Pretty harmless I take it, somebody not using MS Office correctly to view websites.
The software thinks your site is an MS package and tries to download
the associated files. I ignore it. 404 errors use little bandwidth.

On my site, the error logs a much more jammed with a different 404.
Some busy Dutch blog hotlinked several .gif images.
I changed .gif filenames to substitute smaller more interesting pix.
There's one I can't 'fix' though. Hotlinker left out some characters,
so the image URL runs off forever to the right.
This one item easily triples the size of my error_log files. -Larry

moltar

4:45 pm on Jun 27, 2005 (gmt 0)

larryhatch: substitute it with an image with just your URL on it. That way your URL will appear on the image of the offernder's blog. You can say something like "view this image on www.example.com". It will generate little extra bandwidth if it's just a 2 color (b&w) gif image, but will bring more traffic.

Reid

10:42 am on Jun 28, 2005 (gmt 0)

They are hunting unpatched IIS servers.

so they are harmless to apache?
I disallowed both those folders in robots.txt hoping to catch some bad bots but the user-agents requesting them are posing as IE 6.0 browsers - not sure if IE would query an apache server for those files or not.

this other one is requesting random /mailto:& on different directories (generating 404's)
guess I have to make a fresh IP list.
just wondering if I should disregard these FP/MSOffice style requests or not.

larryhatch

11:16 am on Jun 28, 2005 (gmt 0)

Hi Moltar: That's exactly what I did with the images they didn't screw up.
The one I can't swap has a crazy-assed URL as long as your arm. Longer. -Larry

Reid

6:52 am on Jul 7, 2005 (gmt 0)

I guess my original question should have been

do any browsers request these files to check for FP sites? specifically IE?
all the requests I get for these files are from browsers not bots - are they bad browsers or is this normal browser behavior on an apache site?

Dijkgraaf

7:33 am on Jul 7, 2005 (gmt 0)

/MSOffice/cltreq.asp and /_vti_bin/owssrv.dll
are both a checks by IE discussion bar checking for MS Office server extensions. It is something gets installed by particular version of Microsoft Office with Sharepoint I believe. Nothing to worry about.

Reid

5:49 am on Jul 8, 2005 (gmt 0)

thats what I thought - just checking thanx