Welcome to WebmasterWorld Guest from 23.22.250.113

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Apache Local Host Security

Is my machine a security risk

     

ukgimp

1:52 pm on Nov 15, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I have been developing locally using apache and no one else has access or so I thought. I had a quick look in the logs and find instances of other IP's requesting files

202.9.178.30 - - [10/Oct/2002:16:51:53 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 403 -

Is this malicious? Is so what do you recommend

Concerned

jdMorgan

3:28 pm on Nov 15, 2002 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



ukgimp,

I get thousands of these per week on my sites. This is a Code Red or Nimda-infected machine trying to access your web server and propagate itself. The 403 response indicates that you have successfully blocked the attempt. Since your server is Apache, it's not susceptible to these worms anyway.

Blocking any request for the file "cmd.exe" catches 95% of these accesses. The rest can also be blocking using mod_rewrite in .htaccess on Apache with something like this:


# Block MS IIS server security exploits
RewriteRule \.ida$ - [F]
RewriteRule /cmd\.exe$ - [F]
RewriteRule /root\.exe$ - [F]
RewriteRule /shell\.exe$ - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]

There are a few Apache security problems. A site search here may turn up a thread that (I think) I saw recently here on WebmasterWorld.

These cmd.exe accesses are more of a bother (bandwidth leak) than a worry on Apache.

Jim

dingman

4:51 pm on Nov 15, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If you are using Linux, you can also protect yourself somewhat against as yet unknown vulnerabilities in your network daemons with iptables (or ipchains on an older kernel). For example, nobody outside the house needs to reach the Apache server on my development box, so I closed port 80 to packets originating outside the house. In fact, I set a general policy of all ports being closed and then just opened the ones I use. It's not an excuse to ignore vulnerability alerts, but it does make you just that much safer.

I'm sure the same is possible for Windows machines, but I understand that to be an extra-cost option,

DaveAtIFG

1:16 am on Nov 16, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



More info is at:
[webmasterworld.com...]
[webmasterworld.com...]
and several other threads.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month