The Forgettable Mister Ruthsarian

Tangled Web

While doing a little maintenance on this server I noticed the access log was 28 mb in size. This thing has been up only about a month and has virtually nothing on it. There's no reason we should have that big a log.

So I did some poking around and found that 25 megs were entirely webdav exploit attempts. I wish the kiddies would at least have the decency to check the HTTP headers and see this isn't an IIS box before chucking that much crap this way.

So I've updated the Apache config to trim the log entries for any request which includes "\x90" in the request by not including the actual request in the log entry. This isn't the cleanest solution, but it works and I'm less concerned about what gets logged than I am the potential for the logs to explode in size if left unchecked. (Yes, that's a very poor approach to security. Do as I say, not as I do.)

The whole experience got me thinking about what else might be in the access log thus far. Here's some quick results that you might find interesting. Keeping in mind this server has been online and googlefied only about a month.

weblog$grep -c -i "\.exe" access_log
1377
weblog$grep -c -i "\.dll" access_log
8
weblog$grep -c -i "\default.ida" access_log
665
weblog$grep -c -i "\\x90" access_log
796
weblog$grep -c -i "cmd.exe" access_log
1189
weblog$grep -c -i "root.exe" access_log
188
weblog$grep -c -i "/scripts/" access_log
851
weblog$grep -c -i "bot" access_log
307

Always curious to see who (or what) is hitting this box.