I am usually not a shady person, but I do not think my ISP allows servers. I hardly ever have it up, let alone have anything cool to show off on my site, I use it primarily for experimenting and messing around. Can I 'hide' my web server somehow? Would a firewall work?

Alos, I get a ton of these in my access_log: 12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 287 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"

the IPs are on my subnet, but all trying to access files that don't exist...what is the deal? There are hundreds of these lines...Any help on these 2 questions is greatly appreciated!

The answer to your first question:
Yes, a firewall could block port 80 from outside traffic, and would work well if you just wanted your webserver to be on your intranet, and not visible from the internet. If you want it visible to the internet, try changing the port apache listens on, to something other than 80.

The answer to your second question:
Those are boxes that have nimda and codered. They are junky, insecure IIS machines. I would go download and install EarlyBird if I were you, which catches and reports the attempts automatically.

Originally posted by BigCletus:
<STRONG>I am usually not a shady person, but I do not think my ISP allows servers. I hardly ever have it up, let alone have anything cool to show off on my site, I use it primarily for experimenting and messing around. Can I 'hide' my web server somehow? Would a firewall work?

Alos, I get a ton of these in my access_log: 12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 287 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
12.230.113.131 - - [09/Dec/2001:20:15:15 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-"

the IPs are on my subnet, but all trying to access files that don't exist...what is the deal? There are hundreds of these lines...Any help on these 2 questions is greatly appreciated!</STRONG>


What log was that in?

He said his access_log

Do this to take all that crap out of your logs.

Here is my http.conf snip

:

#
# Enable name-based virtual hosts:
#
NameVirtualHost 66.26.190.146:80
#
# This is for people hitting me by IP only:
#
&lt;VirtualHost 66.26.190.146:80&gt;
DocumentRoot /usr/local/www/empty
CustomLog /var/log/httpd/access_junk combined
ErrorLog /var/log/httpd/error_junk
# Make sure /home/httpd/htdocs/empty/null exists as an empty file:
ErrorDocument 404 /null
ServerName 66.26.190.146
&lt;/VirtualHost&gt;
#
# This is for people using my hostname:
#
&lt;VirtualHost www.thorzine.net:80&gt; (http://www.thorzine.net:80&gt;)
DocumentRoot /usr/local/www
CustomLog /var/log/httpd/access_log combined
ErrorLog /var/log/httpd/error_log
ServerName www.thorzine.net (http://www.thorzine.net)
&lt;/VirtualHost&gt;
#This leaves valid traffic in the original logs, and sticks all the worm hits in the 'junk' logs. These can
be redirected to
#/dev/null if you aren't interested in keeping count.

I just did that to mine. Except my real server runs on port 8080 because of the @home block on port 80. Of course ATTBI doesn't because I just ran a validation on the sole page I had on my virtual host.

Since this virtual host is only for logging virus attempts is it safe to place the logs in the same directory as the documentroot? I did this so that others can see the attempts. The logs for my real site aren't set like this.

Yeah, the way i see it those logs are worthless.. (junk logs) If you want other people to view them, thats fine ..