HTTP Logging question...

I hope this is the right forum to ask this question...

My company has a web site and I was reviewing the HTTP AccessLog and I noticed a few interesting discrepancies...there are references to a few URLs that set off alarms in my head.

"GET /favicon.ico HTTP/1.0" 404 244
"GET /_vti_inf.html HTTP/1.0" 404 244
"POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0" 500 225

I do not recognize any of these (i.e. they are not ours), and I have seen each of these several times. Do these indicate someone is trying to hack our system or are they standard in some way?

Any explanation would be helpful. If this is not the right place to post this question, please tell me what is...

Thanks,
Joel

Hi

"GET /favicon.ico HTTP/1.0" 404 244
This is from recent versions of IE, when people add the site to their favorites.

http://www.favicon.com/


"GET /_vti_inf.html HTTP/1.0" 404 244
"POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0" 500 225

These are related to Frontpage, people often try to hack sites and look for key files that the FrontPage server extensions use.

If you don't have FP installed then its someone trying to gain access (Perfectly save if you dont use FP)

Regards
Darren

Carpediem-it,

Thanks for the quick reply. Good stuff to know (nice to know when someone bookmarks your site, eh?)

What exactly would someone be trying to get from FP? We are almost purely CGI-based, so I have no fear there, just curious...

Thanks again,

Joel

A long time ago sites that used FP extensions were vulnerable, people could download the password files etc.. This is how a lot of sites have been hacked in the past.

It all boils down to poor installation and out of date software now-a-days with FP (mostly). There are a lot of sites with various information.


Regards
Darren