From owner-freebsd-security  Thu Jun 14  7: 7:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182])
	by hub.freebsd.org (Postfix) with SMTP id 9C37637B401
	for <freebsd-security@freebsd.org>; Thu, 14 Jun 2001 07:07:22 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 4846 invoked by uid 1000); 14 Jun 2001 14:05:59 -0000
Date: Thu, 14 Jun 2001 17:05:58 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: default013 - subscriptions <default013subscriptions@hotmail.com>
Cc: freebsd-security@freebsd.org
Subject: Re: apache security question
Message-ID: <20010614170558.C3508@ringworld.oblivion.bg>
Mail-Followup-To: default013 - subscriptions <default013subscriptions@hotmail.com>,
	freebsd-security@freebsd.org
References: <OE44ezf9CIElR3n4DVv00010e9b@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <OE44ezf9CIElR3n4DVv00010e9b@hotmail.com>; from default013subscriptions@hotmail.com on Thu, Jun 14, 2001 at 08:08:36AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Jun 14, 2001 at 08:08:36AM -0500, default013 - subscriptions wrote:
> Hello, I've been advised that someone is attempting to break into my box,
> and I know that this person is knowledgeable so I've been watching for
> unusual activity...
> 
> I noticed this entry in one of my apache logfiles yesterday, and was
> wondering if anyone could explain to me what this is:
> 
> mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500]
> "HEAD / HTTP/1.0" 200 0 "-"
> 
> It appears to me like they somehow executed the 'head' command... how would
> one do this, and how could you stop it?

They did not execute the head(1) command that you would execute if you
typed 'head /etc/motd' on your shell prompt; they made an HTTP HEAD
request, the point of which is to get the headers you would get on a GET
request, without the page itself - this is handy for browsers that want
to check if a particular page has changed.

But yes, as discussed in the thread, the goal was probably to check
your Apache's version.

G'luck,
Peter

-- 
This sentence contains exactly threee erors.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message