some one asking for strange web-pages...

This I find in my /var/log/apache2/error.log and I wonder a litle over
what this would be.
I did a whois on 200.23.35.52 and find out that it come from some one in
Mexico.
My question is, is this from a person or is it from some kind of program..?
If it is a person, what is he/she up to?

My litle web site is merely in swedish and can only be of interest for
any one, if he/she read swedish, and have beginners interest in
Gnu/Linux and my dog.

[Thu Feb 16 10:57:26 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/index2.php
[Thu Feb 16 10:57:27 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/index.php
[Thu Feb 16 10:57:28 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/mambo
[Thu Feb 16 10:57:30 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/cvs
[Thu Feb 16 10:57:31 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/articles
[Thu Feb 16 10:57:32 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/cvs
[Thu Feb 16 10:57:34 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/xmlrpc.php
[Thu Feb 16 10:57:35 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/blog
[Thu Feb 16 10:57:37 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/blog
[Thu Feb 16 10:57:38 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/blogs
[Thu Feb 16 10:57:39 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/drupal
[Thu Feb 16 10:57:40 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/phpgroupware
[Thu Feb 16 10:57:42 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/wordpress
[Thu Feb 16 10:57:43 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/xmlrpc.php
[Thu Feb 16 10:57:44 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/xmlrpc
[Thu Feb 16 10:57:46 2006] [error] [client 200.23.35.52] File does not
exist: /var/www/xmlsrv

/Anders

Anders

Anders <> writes:

> This I find in my /var/log/apache2/error.log and I wonder a litle over
> what this would be.
> I did a whois on 200.23.35.52 and find out that it come from some one
> in Mexico.
> My question is, is this from a person or is it from some kind of
> program..?> If it is a person, what is he/she up to?

Script kiddie looking for common URL's in an attempt to identify
targets. These are typically looking for common URL's where a
specific web application is known to run on a site, and that has
exploitable vulnerabilities.

nikto is a popular program that does this stuff, but there are plenty
of others. White hats use it for assessing vulnerabilities of their
clients' web sites (with their consent), the bad guys use it to try to
break in and wreak havoc. e.g. finding an old level of phpbb that's
exploitable or some such

You could block that IP as a countermeasure, or just accept such
scanning as a fact of life on the net.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

Todd H. wrote:
> Anders <> writes:
>
>
>>This I find in my /var/log/apache2/error.log and I wonder a litle over
>>what this would be.
>>I did a whois on 200.23.35.52 and find out that it come from some one
>>in Mexico.
>>My question is, is this from a person or is it from some kind of
>>program..?> If it is a person, what is he/she up to?
>
>
> Script kiddie looking for common URL's in an attempt to identify
> targets. These are typically looking for common URL's where a
> specific web application is known to run on a site, and that has
> exploitable vulnerabilities.
>
> nikto is a popular program that does this stuff, but there are plenty
> of others. White hats use it for assessing vulnerabilities of their
> clients' web sites (with their consent), the bad guys use it to try to
> break in and wreak havoc. e.g. finding an old level of phpbb that's
> exploitable or some such
>
> You could block that IP as a countermeasure, or just accept such
> scanning as a fact of life on the net.
>
> Best Regards,

Thank you for the answer, just seeing it in the error.log tells me that
he did not get what he wanted. I will block the IP for now, I have a
list of bad IP's but havent got the time to put it in to my hostlist yet.

I have make use of a services from the swedish goverment of post and
telecomunikation and they are using nessus, and the result was that my
site is secure besides two vulnerabilities.
1. they can figure out what OS and web-server I am running.
2. they can read my robots.txt and that one only say's, User-Agent: *
Disallow: /

/Anders

Anders

Anders <> writes:
> I have make use of a services from the swedish goverment of post and
> telecomunikation and they are using nessus, and the result was that my
> site is secure besides two vulnerabilities.
> 1. they can figure out what OS and web-server I am running.

Which isn't that big a deal so long as you remain up to date.

> 2. they can read my robots.txt and that one only say's, User-Agent: *
> Disallow: /

Which isn't a big deal at all as it leaks 0 information.

--
Todd H.
http://www.toddh.net/

Todd H.