Forum Moderators: phranque
**.**.**.** - mrhacker [28/Oct/2005:11:45:52 -0600] "GET / HTTP/1.0" 200 17565 "http://***.**/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
The reason I'm asking is that it's possible that this person has simply 'hacked' his own browser, so that it sends the REMOTE_USER header when it hasn't even been asked to do so. This could make it appear that he's logged-in, when he's actually just sending a spurious HTTP request header. Or maybe the user is innocent, and someone (or a trojan) hacked his/her browser to send this header.
Look in your logs for a 401-Unauthorized challenge-response 'session', where he requests a page that you *know* requires a login, gets a 401-Unauthorized server response, and then you see a line with the username, the same page requested, and a 200-OK or 304-Not Modified server response. That would be more worrisome than the single request for "/" that you show.
Something like this:
192.168.0.1 - - [28/Oct/2005:20:43:19 -0400] "GET /your_secured_page HTTP/1.1" [b]401[/b] - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
192.168.0.1 - mrHacker [28/Oct/2005:20:43:25 -0400] "GET /your_secured_page HTTP/1.1" [b]200[/b] 1911 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
<snip>
Just curious how would one protect their temp folder from this kinda of attack. Thank you
[edited by: jdMorgan at 4:42 am (utc) on Oct. 29, 2005]
[edit reason] No URLs, please. See TOS. [/edit]
I'm being too critical; The manual server-request technique is occasionally useful in diagnosing server config problems. But there is no 'hacking' secret there.
If you'd like an authoritative discussion of HTTP, see RFC2616 - HTTP/1.1 Protocol [w3.org]. (Links to primarily non-commercial, third-party, authoritative sites or very-widely-known sites such as google.com or the BBC *are* allowed here).
Jim
