I periodically scan my server logs looking for things I've broken and unusual things going on. In between the interesting segments of Saturday night's Mars Rover press conference, I lumped the incidents and accidents into a small number of buckets.
An amusing workaround for several of these probes is to have the web server redirect back to the offending host:
- File does not exist: /blah/blah/www.northwestnotes.net -- this occurred four times with different URLs, and its cause was my creating a link like this:
- /cgi-bin/FormMail.pl (or variants like formmail.cgi) -- this is someone trying to probe for the formmail perl script used to send feedback. Older versions had an exploit that would enable someone to send email to an arbitrary address (think spamming). I don't use FormMail, but have put a cgi script that that prints out a nasty message and does additional logging.
- /blah/MySubscriptions.opml (also hciChannels.opml and /gems/mySubscriptions.opml) -- OPML is "outline processor markup language," yet another variation of XML. It appears to be a way to syndicate blogs and is harmless.
- File does not exist: /sumthin This comes from a machine that's 0wn3d, and is probing for a page that probably doesn't exist in order to learn more about my web server's installed software and OS version. It tries to exploit a bug in openSSL.
- /_vti_bin/owssvr.dll -- a hacking attempt exploiting unprotected sites built with Front Page. When it appears with the previous message or /MSOffice/cltreq.asp, it's the Nimda virus at work.
- /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 -- this is from a computer using Microsoft Office with the discussion bar in IE enabled (something you have to do deliberately). You can ignore this.
- File does not exist: /scripts This is the nimda worm or Concept virus. If you're running linux, don't worry about it. If you're running Windows servers, ensure your system is running the latest security fixes (which you should be doing anyway).
- /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir -- Robot/virus trying to probe for a windows command prompt
- /cgi-bin/mt-tb.cgi and /cgi-bin/mt-comments.cgi -- these are robots trying to spam my blog by inserting trackbacks or comments. This is a way companies try to jack up their Google pagerank.
- /default.ida -- This is the nefarious Code Red ][ worm. Even though the vulnerability is over two years old, there are still infected IIS servers probing you.
<a xhref="www.northwestnotes.net" mce_href="www.northwestnotes.net">Gardening Guru</a>instead of this:
<a xhref="http://www.northwestnotes.net">Gardening Guru</a>Embarrassing, but harmless.
Redirect /scripts http://127.0.0.1 Redirect /scripts/ http://127.0.0.1(by convention, 127.0.0.1 resolves to yourself. >:) What other stuff do you routinely see in your logs?
.