Client Login 
Community 
Contact Us 
LinkBack URL
About LinkBacksLast week I noticed a few entries in our error log that were of concern to me. Now they have been showing up more frequently, and from different IP's. The first 3 times, it was from the same ISP (Rasserver.net), and now the latest one looks like it is coming from a different (cable) ISP.
Each time, the same files are being requested however, and only seconds apart - one right after the other. This last one was simultaneous, which makes me think it's a worm of some sort, rather than a user attempt as originally suspected.
[Sat Mar 6 09:26:30 2004] [error] [client 24.186.xxx.xxx] File does not exist: /home/jtdtcoal/public_html/MSOffice/cltreq.asp
[Sat Mar 6 09:26:30 2004] [error] [client 24.186.xxx.xxx] File does not exist: /home/jtdtcoal/public_html/_vti_bin/owssvr.dll
I understand the _vti_bin/owssver.dll is a corruptable file, and am concerned as to what this means and what action would be appropriate.
We originally did an IP deny on the first 2 IP's, and now it keeps happening (probably since he's on dialup). Are we dealing with a user who has an infected system, and what should we do?
Any help or knowledge you guys can share would be much appreciated.
Welcome to the JaguarPC Community
Results 1 to 4 of 4
This is a discussion on _vti_bin/owssver.dll in the Error Log? in the Shared & Semi-Dedicated forum
Last week I noticed a few entries in our error log that were of concern to me. Now they have been showing up more frequently, ...
-
03-07-2004, 10:48 PM #1JPC Member
- Join Date
- Mar 2004
- Location
- Pacific Northwest
- Posts
- 5
_vti_bin/owssver.dll in the Error Log?
-
03-08-2004, 02:28 AM #2Yeah, I know a LOT!
- Join Date
- Mar 2003
- Location
- Arizona Uplands
- Posts
- 10,775
According to the following links, I believe you are fine:
http://lists.jammed.com/incidents/2001/10/0127.html
http://www.webmasterworld.com/forum3...ght=owssvr.dll
http://www.webmasterworld.com/forum3...ght=owssvr.dllDISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.
No Guts, No Story! VinDSL © 2010
-
03-08-2004, 05:35 AM #3Community Leader
- Join Date
- Sep 2001
- Location
- Rochester, NY
- Posts
- 6,003
The files that are being requested are Windows files. Basically someone is looking for MS Internet Information Server vulnerabilities, which your site is immune to since it isn't using IIS or even Windows. Usually these things occur eiter when someone decides to launch a brute force attack against your site or when someone's system is compromised with a worm that is designed to attack random IP addresses. It is usually the latter unless you are running a site like Microsoft or Google.
Also keep this in mind: these things are showing up in your error log. That means that the "person" (or more likely machine) that was trying to get to them failed. As long as there are no files with those names in your public_html folder then there is nothing for the attacker to access, so no harm can be done. Even if they were there, they are Window's specific files that your Linux server wouldn't be able to execute, so no harm would be done, regardless.
--Jason
-
03-13-2004, 10:04 PM #4JPC Member
- Join Date
- Mar 2004
- Location
- Pacific Northwest
- Posts
- 5
Thanks so much guys. VinDSL, I couldn't access the 2nd two links you gave me.... Maybe after I register it'll let me read 'em.
It's good to know it's not something serious, though it really put up red flags about whatever else they could be probing for, obviously. We will let the person in question know he may need to run a disk scan.
Thanks again though
Reply With Quote
Posting Permissions
Get Social:
Copyright © 2011 JaguarPC.com
Bookmarks