#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2000
    Posts
    34
    Rep Power
    15

    HTTP AccessLog question...


    I hope this is the right forum to ask this question...

    My company has a web site and I was reviewing the HTTP AccessLog and I noticed a few interesting discrepancies...there are references to a few URLs that set off alarms in my head.

    "GET /favicon.ico HTTP/1.0" 404 244
    "GET /_vti_inf.html HTTP/1.0" 404 244
    "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0" 500 225

    I do not recognize any of these (i.e. they are not ours), and I have seen each of these several times. Do these indicate someone is trying to hack our system or are they standard in some way?

    Any explanation would be helpful. If this is not the right place to post this question, please tell me what is...

    Thanks,
    Joel
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    56
    Rep Power
    14
    Hi

    "GET /favicon.ico HTTP/1.0" 404 244
    This is from recent versions of IE, when people add the site to their favorites.

    http://www.favicon.com/


    "GET /_vti_inf.html HTTP/1.0" 404 244
    "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0" 500 225

    These are related to Frontpage, people often try to hack sites and look for key files that the FrontPage server extensions use.

    If you don't have FP installed then its someone trying to gain access (Perfectly save if you dont use FP)

    Regards
    Darren
    HTTP://WWW.PHP4HOSTING.COM ($) HTTP://WWW.PHP4HOSTING.CO.UK ()
    Website Hosting from $4.80/3pm -- .COM/.NET $39.98/24.99
    PHP4, MySQL (Root Access), Full CGI-BIN, Shell Access, FTP, POP3, WAP
    Full Control Reseller Accounts, unlimited domains, FTP, POP, MySQL,PHP4
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2000
    Posts
    34
    Rep Power
    15
    Carpediem-it,

    Thanks for the quick reply. Good stuff to know (nice to know when someone bookmarks your site, eh?)

    What exactly would someone be trying to get from FP? We are almost purely CGI-based, so I have no fear there, just curious...

    Thanks again,

    Joel
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    56
    Rep Power
    14
    A long time ago sites that used FP extensions were vulnerable, people could download the password files etc.. This is how a lot of sites have been hacked in the past.

    It all boils down to poor installation and out of date software now-a-days with FP (mostly). There are a lot of sites with various information.


    Regards
    Darren
    HTTP://WWW.PHP4HOSTING.COM ($) HTTP://WWW.PHP4HOSTING.CO.UK ()
    Website Hosting from $4.80/3pm -- .COM/.NET $39.98/24.99
    PHP4, MySQL (Root Access), Full CGI-BIN, Shell Access, FTP, POP3, WAP
    Full Control Reseller Accounts, unlimited domains, FTP, POP, MySQL,PHP4

IMN logo majestic logo threadwatch logo seochat tools logo