On 4/1/07, Pawel S. Veselov <[EMAIL PROTECTED]> wrote:
> On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote:
>> I just installed OpenBSD on my server in early March 2007. I am
>> running an Apache web server out of my house. I am tracking 4.0 STABLE
>> which I updated the day after the latest security advisory. I recently
>> noticed some peculiar entries in my Apache error and access logs.
>> u
>> From /var/www/logs/error_log:
>>
>> [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does
>> not exist: /htdocs/Provy_OK.html
I used to have my logs scanned for these entries, and report them to
the authorities responsible for source IP addresses. Most of them would
go to SBC or Comcast, but some would go to small networks who do like
knowing that their systems are infected or are used for hacking.
How? How could you automate ID'ing these? If you used some sort of
heuristic method you risk blacklisting innocent users.
Anyway, "/htdocs/thisdoesnotexistahaha.php" and
'/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning
the ropes. I wouldn't want to report him.
-Nick
