[SOLVED] Error in my error log

[EchoFool]

I have just recently looked at my error log and noticed a new error that i have no seen before whilst building my website, and am wondering what it is that causes it, so i can solve the issue.. could some one explain what it is trying to tell me in simple terms:

 

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:

 

What does it mean ?

[lonewolf217]

seems to be an inconsequential error

http://www.webhostingtalk.com/showthread.php?t=565379

http://www.webmasterworld.com/forum39/1947.htm

[EchoFool]

So its related to a badly made robot, wish i could find a way to log robots contacting my site so i can decide to block them or not.

[MadTechie]

LOL, that or someone is scanning your machine for vulnerabilities, that nomally appears on a finger print scan to detect what OS is running

[EchoFool]

What kind of vunerabilities ? Because my server did crash due to resources overload or something and my host allocated me more resources... what kind of things do they scan for so i can check i have all of them covered?

[MadTechie]

When you send a request to a server if that request as an error in it the server replies with a message like

 

"Unknown packet" -- Unix OS

or

"unable to resolved" Windows OS

etc etc

 

Now

just say you wanted to find out what software/server/OS a machine was running but the tech guy turned off the welcome messages, identifiers etc etc.. this means you don't know what types of vulnerabilities to look for.

 

but if you send a malformed packet and you got back

"unable to resolved" oow that's a windows message thus that machine is running windows

 

the same idea with requests to Apache or IIS etc, these are used as fingerprints to find out whats running

 

Now someone could connect to your host and using finger print scans could find out everything your running, (maybe down to the version number (mostly major numbers)

Now they have all this info about your server they can now look for vulnerabilities within that software

 

so just say they found your using XYZ-FTP and they found a vulnerabilities it and you don't have the latest updates/patches they could get into your files without your password no matter what you do.. it infact could be a higher level access that you have (depending on what you have).. you can't stop this via PHP this is higher up the chain..

 

Just make sure you have all the updates in place and you should be okay (probably muhahahah)

[EchoFool]

Sounds like im almost helpless from it other than hopefully having reliable security softwares in place.

 

I'm still getting errors like this:

 

File does not exist: /usr/local/apache/htdocs/sumthin

File does not exist: /usr/local/apache/htdocs/webmail

File does not exist: /usr/local/apache/htdocs/mail

File does not exist: /usr/local/apache/htdocs/roundcube

File does not exist: /usr/local/apache/htdocs/roundcube

Invalid method in request \x16\x03

File does not exist: /usr/local/apache/htdocs/501.shtml

 

This was just today... is that related to it ?

 

[MadTechie]

check the IP of the client thats requesting those files. it sounds like a scan to me

[EchoFool]

client 64.15.156.247

client 79.125.59.115

client 61.221.40.45

client 194.72.238.62

 

these are the ips for the list. Should i worry about these scans, im still not sure if im safe or not i have had my host put all my security software on to my server, jsut wondered if theres anything i can code on to my site and upload to help secure the site more so ?

[MadTechie]

Humm its a wide range, the "\x16\x03" is either a something trying to use ssl on your server that i assume doesn't have ssl on (or their using the wrong port) or some test

 

File does not exist: /usr/local/apache/htdocs/webmail

File does not exist: /usr/local/apache/htdocs/mail

File does not exist: /usr/local/apache/htdocs/roundcube

is check to see if you have a webmail their

 

File does not exist: /usr/local/apache/htdocs/501.shtml

is infact your server redirecting a users request, you could create that file if you like (just a html file with a message ie "501 error"

 

File does not exist: /usr/local/apache/htdocs/sumthin

this I assume is used for the finger print, it basically doesn't exist thus this gets and error returned from the server, which contains Web Server type, Version and OS

 

you can protect against this by adding the following lines to your Apache config (httpd.conf) that will prevent the server from disclosing that information.

ServerTokens prod
ServerSignature no

 

BUT it doesn't stop them all..

 

I will take a chance here and say, from what i have seen, this seam to be an automatic process and unless your server is out of date you shouldn't need to worry (as it will probably stop, by itself) it seams to be testing for some very basic weaknesses (to exploit your server for spamming), but the program or bot that seams to be doing this is either some off the shelf software or a generically written bot, its probably not a cracker after you (if it is, they are not very good).

[EchoFool]

Thank you for the infomation MadTechnie

 

Just wondered also where httpd.conf is, as i don't have one in my main root directory, which im assuming is where it is, if i don't have one does that mean i should have had one?

 

With regards to SSL is that some one trying to access my server via an FTP program ?

[MadTechie]

httpd.conf is the Main Configuration Files for apache , (so you need full access to the computer)

FTP won't affect SSL, but SFTP will but as i said your probably okay, i won't worry about it,

[EchoFool]

Ok thank you MadTechie i will read into this !