If your server is serving a publically-accessible Web Site, then that's to be expected. Depending on your firewall's capabilities, you might want to check its outgoing connection log, to see what kinds of outgoing connections are being established. It's hard to tell without knowing what kind of hosting setup you have, what OS you're running, what type and 'grade' of firewall, etc.

Jim

Sorry Jim I should have been more clear...

It is my personal computer, they are scanning my ports and trying to access those two areas ...

What kind of firewall is it? Can you close all incoming ports except port 80?

Jim

I use sygate ... personal ...

I'm not letting them in, but wondered if there may be something on my system to cause this or if it was just a speculation scan looking to access apache.exe

If you're worried about agents running on your machine "phoning home," then run AdAware, SpyBot Search & Destroy, and any other malware detectors you can get your hands on -- those two are free. Also, examine your computer's running processes with HijackThis if you're into more-advanced investigation -- Search by filename on the Web for any suspicious executables that you can't identify.

Now a general recommendation: The problem with "personal firewalls" -- software-bassed solutions -- is that they cannot detect intrusions until a connection has already been established to your machine. I recommend that anyone who runs a server have a real hardware firewall. Combination router/firewalls can be had from NetGear, LinkSys, and several other companies for less than $100. These feature "SPI" or Stateful Packet Inspection, and allow you to set all unneeded ports as 'stealth' -- they appear to be disconnected from the internet. They also monitor incoming and outgoing packets, and reject those that don't result from a legitimate 'connection session'. I use several NetGear FVS318v3 Firewall Routers -- 8 LAN ports, SPI firewall, configurable filters, and can be had for $90 plus shipping (maybe less now).

Using a hardware firewall reduces your 'footprint' on the 'net -- Only those ports needed to support necessary connections will respond. This makes it harder to find your computer using a port scan. It also takes a load off your software firewall, and leaves its log file cleaner so that real problems stand out.

Basically, the hardware firewall does a better job at stopping incoming connections, while the software firewall shines in being able to identify the programs on your machine that are requesting outgoing connections. So using both is a good approach. Check their log files occasionally to monitor your security.

To answer your basic question, the bad guys assume you have a server running because port 80 responds. And when they do an HTTP request to that port, they get back the server information sent with every HTTP response. To see what's included in this response, you can use the WebmasterWorld Server Headers Checker [webmasterworld.com]. It's also useful for checking your redirects, error responses, and other server responses. If you have a hardware firewall, you can block their IP address or address range before any connection to you machine can even be established.

Jim
[edit] Typos [/edit]

[edited by: jdMorgan at 8:16 pm (utc) on Feb. 17, 2006]

Beautiful responce .. much respect and thanks :)