While doing a little maintenance on this server I noticed the access log was 28 mb in size. This thing has been up only about a month and has virtually nothing on it. There’s no reason we should have that big a log.
So I did some poking around and found that 25 megs were entirely webdav exploit attempts. I wish the kiddies would at least have the decency to check the HTTP headers and see this isn’t an IIS box before chucking that much crap this way.
So I’ve updated the Apache config to trim the log entries for any request which includes “\x90” in the request by not including the actual request in the log entry. This isn’t the cleanest solution, but it works and I’m less concerned about what gets logged than I am the potential for the logs to explode in size if left unchecked. (Yes, that’s a very poor approach to security. Do as I say, not as I do.)
The whole experience got me thinking about what else might be in the access log thus far. Here’s some quick results that you might find interesting. Keeping in mind this server has been online and googlefied only about a month.
weblog$grep -c -i "\.exe" access_log 1377 weblog$grep -c -i "\.dll" access_log 8 weblog$grep -c -i "\default.ida" access_log 665 weblog$grep -c -i "\\x90" access_log 796 weblog$grep -c -i "cmd.exe" access_log 1189 weblog$grep -c -i "root.exe" access_log 188 weblog$grep -c -i "/scripts/" access_log 851 weblog$grep -c -i "bot" access_log 307
Always curious to see who (or what) is hitting this box.