Date: Sat, 10 Jan 2004 21:47:47 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: David Edwards <david@deassociates.com> Cc: freebsd-security@freebsd.org Subject: Re: Need some help on security Message-ID: <Pine.NEB.3.96L.1040110214520.2696D-100000@fledge.watson.org> In-Reply-To: <000701c3d7c8$697a4e40$6400a8c0@winxp1700>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Jan 2004, David Edwards wrote: > Anyway, on to the question, lastnight, the server stopped responding > after someone tried to gain access to what looks to be web based > printing. I am not familiar with any firewall/IDS solutions and have > looked over Snort and IPFW today. I don't want to do IPFW because I > don't want to recompile a kernel that works and potentially lose > everything I have done so far. Here is a bit of the apache error_log > which shows the issue i am refering to: > > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/home/dbcenter/public_html/NULL.printer > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/local/apache/htdocs/NULL.printer Well, these log entries are for attempted exploits of Microsoft's IIS, and shouldn't be a problem. The error messages can safely be ignored. However, the "server stopped responding" bit doesn't sound good. Was the web server still running (i.e., Apache processes still present)? What does "ps -alx" show? Were there any console messages regarding apache stopping, or any error messages in the Apache log about it exiting or changing states, as opposed to just file not found errors? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040110214520.2696D-100000>