GET /sumthin DOS has crashed 3 boxes 2 times in last week

rpmws

Well-Known Member
Aug 14, 2001
1,797
9
318
back woods of NC, USA
actually you can put the Alias anywhere in the httpd.conf. I put mine at the top restarted and no matter what domain I try I get the blank page. I started to put on the blank page as "F*** YOU !!!" but figured it would start a war in no time.. I guess this will keep these things from knowing what server we run. But will it stop the crash? I am stil lnot sure if any of you have seen dead boxes from this like I have?
 

Website Rob

Well-Known Member
Mar 23, 2002
1,503
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Some of us just like to be organized and keep our VirtualHost Aliases in the same place.

I also think you made the right choice in which msg. you eventually went with.

:D
 

rpmws

Well-Known Member
Aug 14, 2001
1,797
9
318
back woods of NC, USA
Originally posted by Website Rob
Some of us just like to be organized and keep our VirtualHost Aliases in the same place.

I also think you made the right choice in which msg. you eventually went with.

:D
For 4 years I have been putting all my server wide directives at the top basically. I also deleted out most of the comented stuff and made my own comments. Easier to search using VI when you know exactally what to search for :)
 

silvernetuk

Well-Known Member
Sep 2, 2002
311
0
166
United Kingdom
Hi,

Originally posted by Website Rob
No, just the 'touch' command.

Then you need to edit your httpd.conf file and scroll (way down) till you see:

NameVirtualHost xx.xx.xx.xx:80 << your main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/
Alias /sumthin /usr/local/apache/htdocs/blankfile << add it here

Decided to answer my own question and figure that edit should grab "all" of the 'sumthin' requests. Feel free to correct if not so.
What will happen if a client make a folder in there public_html called /sumthin ?

Regards,
Garry
 

rpmws

Well-Known Member
Aug 14, 2001
1,797
9
318
back woods of NC, USA
Originally posted by silvernetuk
Hi,



What will happen if a client make a folder in there public_html called /sumthin ?

Regards,
Garry
They would be SOL . Just like i fthey made one called "webmail" hehe
 

silvernetuk

Well-Known Member
Sep 2, 2002
311
0
166
United Kingdom
Hi,

I never got round to doing this have I got these step right

1. Log into Root SSH

2. type: touch /usr/local/apache/htdocs/blankfile

3. type: cd /etc/httpd/conf/

4. type pico httpd.conf

5. Scroll down to
NameVirtualHost xx.xx.xx.xx:80 << main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/

6. type in: Alias /sumthin /usr/local/apache/htdocs/blankfile

7. So it look like :

NameVirtualHost xx.xx.xx.xx:80 << main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/
Alias /sumthin /usr/local/apache/htdocs/blankfile

8. ctrl x press y

9. type httpd restart

10. all done

Is this correct ?

Regards,
Garry
 

Website Rob

Well-Known Member
Mar 23, 2002
1,503
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
silvernetuk, to answer your question:

3. type: cd /etc/httpd/conf/

Technically this is correct -but- I do believe it is a specific WHM function, to sym link 'httpd' to the '/usr/local/apache/' directory. The actual dir. path is probably better to use IMHO. To continue using the sym link 'may' get one, into an incorrect habit for dealing with the httpd.conf file. Totally up to the individual of course and I only mention it because of the details behind it.

5. Scroll down to
NameVirtualHost xx.xx.xx.xx:80 << main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/

One does not have to put the directive exactly at that position. A good idea, mentioned earlier by rpmws, is to put directives of this type at the very top of the httpd.conf file. Since doing it this way myself, I have found it very handy -- especially when working on the directives as it sometimes takes a couple of tries to get them correct. An 'Alias' does not have to be enclosed within any special type directives, to work Server-wide.


Here, for example, is the beginning of my httpd.conf file which I have modified for my needs.

# vi /usr/local/apache/conf/httpd.conf

###

Alias /bandwidth/ /usr/local/bandmin/htdocs/

### Change Log ###

# insert date of changes / additions for tracking purposes
RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*default\.ida.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*httpodbc\.dll.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*owssvr\.dll.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*root\.exe.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*cltreq\.asp.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent ^/(.*sumthin\.*)$ http://potentproducts.com/virus.html
RedirectMatch Permanent (.*)AF8 http://potentproducts.com/virus.html


The 'virus.html' includes only an SSI directive, to a script which allows me to track (what I call) these "virus" attempts. Since using this method for the last 3 weeks, the number has reach 467 for all of the above.

The last directive shown, is because some people do a search for a " +AF8 " file which I put in the same catagory as the " sumthin " file, seems to have started showing up around the same time as the " sumthin " searches. It is also, a very "odd" thing to be looking for at any Web site.


Also note, while the above or using the Alias method, will keep these requests from showing in the Error logs, they will still show up in the "Stats - Latest Visitors" section of Cpanel.

Another quick note, whenever working with or altering the httpd.conf file, always run this command "immediately" after saving changes:

/usr/local/apache/bin/httpd -t

Anything other than "Syntax OK" means Apache has a problem with the httpd.conf file. It will list a line number for the exact problem(s) and they need to be fixed "now", or Apache will have immediate problems.
 
Last edited:

perfectsquare

Active Member
Sep 11, 2002
36
0
156
Originally posted by ozzi4648

Regardless, this is an information gathering technique. The "/sumthin" is used to intentionally trigger a 404 error. If you haven't modified your 404 page (you can find instructions to do so here), or if a hacker telnets to your HTTP port and sends this GET request, this will reveal information about your Web Server type, Version and OS. If you are running an Apache server, add these lines to your httpd.conf file to prevent the server from disclosing this information:
If someone wants to know information about your server, all they have to do is go to http://www.netcraft.com/ ... gives you all the info you need.
 

rpmws

Well-Known Member
Aug 14, 2001
1,797
9
318
back woods of NC, USA
Originally posted by perfectsquare
If someone wants to know information about your server, all they have to do is go to http://www.netcraft.com/ ... gives you all the info you need.
I think if you turn off tokens it won't ... These aren't people hitting us ..these are infected boxes.

Tell you what ..I am looking for a good worm hit counter...anyone have a good one to suggest?
 

X-Istencedotcom

Well-Known Member
Apr 14, 2003
223
0
166
Originally posted by rpmws
I think if you turn off tokens it won't ... These aren't people hitting us ..these are infected boxes.

Tell you what ..I am looking for a good worm hit counter...anyone have a good one to suggest?
If you still need it, use PHP to make a counter that adds a 1 to a database or file every time its run.
 

sexy_guy

Well-Known Member
Mar 19, 2003
847
0
166
Hello, looking though my logs today i found alot of these

67.82.82.208 - - [13/Apr/2003:04:12:56 -0700] "OPTIONS / HTTP/1.1" 200 -
67.82.82.208 - - [13/Apr/2003:04:12:57 -0700] "OPTIONS / HTTP/1.1" 200 -
67.82.82.208 - - [13/Apr/2003:04:12:58 -0700] "OPTIONS / HTTP/1.1" 200 -
67.82.82.208 - - [13/Apr/2003:04:13:12 -0700] "OPTIONS / HTTP/1.1" 200 -

212.199.204.46 - - [13/Apr/2003:04:40:41 -0700] "OPTIONS / HTTP/1.1" 200 -
212.199.204.46 - - [13/Apr/2003:04:40:42 -0700] "OPTIONS / HTTP/1.1" 200 -
212.199.204.46 - - [13/Apr/2003:04:40:51 -0700] "OPTIONS / HTTP/1.1" 200 -

64.228.93.2 - - [13/Apr/2003:05:34:53 -0700] "HEAD / HTTP/1.0" 200 0
64.228.93.2 - - [13/Apr/2003:05:34:53 -0700] "HEAD / HTTP/1.0" 200 0
64.228.93.2 - - [13/Apr/2003:05:34:54 -0700] "HEAD / HTTP/1.0" 200 0

:confused: