Nick ! wrote:
On 4/1/07, Pawel S. Veselov <[EMAIL PROTECTED]> wrote:
> On 4/1/07, Sean Malloy <[EMAIL PROTECTED]> wrote:
>> I just installed OpenBSD on my server in early March 2007. I am
>> running an Apache web server out of my house. I am tracking 4.0 STABLE
>> which I updated the day after the latest security advisory. I recently
>> noticed some peculiar entries in my Apache error and access logs.
>> u
>> From /var/www/logs/error_log:
>>
>> [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does
>> not exist: /htdocs/Provy_OK.html
I used to have my logs scanned for these entries, and report them to
the authorities responsible for source IP addresses. Most of them would
go to SBC or Comcast, but some would go to small networks who do like
knowing that their systems are infected or are used for hacking.
How? How could you automate ID'ing these? If you used some sort of
heuristic method you risk blacklisting innocent users.
I wasn't blacklisting myself, only reporting to what supposedly
was an authority. I was using RIPE and whois.abuse.org, until it
became too cumbersome to figure out what is the email address complains
should be sent to. Just looking over what I had then, I now stumbled
on this article:
http://www.ripe.net/db/news/abuse-proposal-20050331.html
which supposedly should help finding the abuse email address easier,
though I failed to find an email for my own ip :)
Anyway, "/htdocs/thisdoesnotexistahaha.php" and
'/w00tw00t.at.ISC.SANS.DFind:)" show that it's just some kid learning
the ropes. I wouldn't want to report him.
and it probably wouldn't be paid much attention to until it becomes
a regular activity with enough complaints. However, I don't believe
that large providers pay any real attention at all, due to the sheer
volume of the complaints they receive.
-- Pawel.
