Explanation of Common 404 Errors
mike
Status: Contributor
Joined: 08 Oct 2004
Posts: 71
Reply Quote
I found this during my daily browser and that that you all would appreciate it. This explains many common 404 errors you may find in your stat logs.

:: Quote ::

/robots.txt

Friendly. An automated robot is asking whether it is okay to crawl your site, and if so, whether there are any paths it should stay out of.

See www.robotstxt.org/wc/robots.html for more information.

Recommendation: create a compliant /robots.txt file and place it on your server. Leave it empty if there are no folders that you want to protect from crawlers. Doing this will reduce your 404 error count, and doing it communicates to the robots that you are savvy. You may even get extra points in your search results ranking.


favicon.ico

Friendly. A web browser (probably Internet Explorer 5+) has bookmarked your site. This icon, if present, will be displayed in the bookmarks list.

See www.favicon.com/.

Recommendation: the Guardian script includes a default filter rule which handles all of these requests. Just customize the "favicon.ico" file in the "guardian/data" folder to match your site.


/MSOffice/cltreq.asp
/_vti_bin/owssvr.dll

Friendly. You're being visited by a user who has installed Microsoft Office and Internet Explorer, and who has enabled the "Discuss" toolbar in his browser. When that toolbar is enabled, the browser will automatically query for these two files when visiting each site, to determine whether the Office Server Extensions are installed.

Recommendation: do nothing. Allow the 404 errors to happen. To cut down on error reports, you may disable Guardian notification by using a custom filter rule with the "ignore: 1" action.

If you are on a Windows server, you can install Office Server Extensions (available in Office 2000) and then the /MSOffice/cltreq.asp path will contain a valid file, allowing visitors to discuss content. Wouldn't that be neat?


/_vti_bin/
/_vti_inf.html

Unknown. Front Page authors connect to executables within the /_vti_bin/ folder. Microsoft Office applications will often make test requests to /_vti_inf.html.

These requests could be due to hostile probing, but they are more likely due to legitimate users. The requests would be made if somebody viewed your web pages within Front Page or an Office document. You should not initiate counter-strikes because these patterns are too vague.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action.


/sumthin

Hostile. This is a self-propagating worm that infects Linux/Apache systems with the OpenSSL vulnerability. It is suspected to be a variant of the slapper worm. The request to /sumthin is intended to get version information from the Server: response header, not to analyze the 404 response string. Versions with the OpenSSL vulnerability are then attacked.

See also:

www.securityfocus.com/archive/75/313283
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

Recommendation: Review the CERT advisory and apply any needed OpenSSL patches. After doing that, ignore the reports.


formail.pl
formmail.cgi
/cgi-bin/formmail

Hostile. An aspiring spammer is searching the web for sites running old or unsecured versions of Matt Wright's formmail.

Recommendation: if you use formmail, visit www.scriptarchive.com/formmail.html for the latest security patches.

Otherwise, do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


/scripts/nsiislog.dll

Hostile. A probe for a buffer overrun vulnerability in the Windows 2000 IIS service.

See the CERT write-up for this vulnerability.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


default.ida

Hostile. Code Red checks for this file to exploit a buffer overflow in the IIS .ida handler. It attacks Microsoft IIS servers.

See the CERT write-up for Code Red.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


cmd.exe
root.exe

Hostile. sadmind/IIS worm. It attacks Microsoft IIS servers.

See the CERT write-up for sadmind/IIS.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


Administrators of IIS servers should frequently visit windowsupdate.com and install all service packs and patches. This will protect against the worms. If you are seeing these requests in your error log, then that means (most likely) the exploit had failed, and your system is not vulnerable. The only problem at this point is to deal with all of the automated traffic and resulting 404 errors.

source: www.xav.com/scripts/guardian/help/1022.html[/quote]
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
Nice find Mike, I've seen all those 404 requests at some point. Thanks for the info, that should be useful for people who need to know about things like this.

For a while I was seeing the phpBB ones a lot too, they usually feature the 'highlight' option, those don't always show as 404's, but as real requests.

Another one I've been seeing recently, it's definitely automated, is a string of requests for every general forum location directory, like /forums/, /boards/, /phpbb/, and so on. This one actually makes me a little nervous, since it started well after the recent 2.0.13 patches were released, and suggests there may be another vulnerability. Or then again, it might be, and probably is, just an automated forum spam spider that searches for every common forum directory.
Back to top
mike
Status: Contributor
Joined: 08 Oct 2004
Posts: 71
Reply Quote
Yea, the biggest one's I see with that are phpBB, AWSTATS and formmail.pl. It's usually just a bunch of script kiddies, trying to exploit outdated scripts. This is why it's important to make sure all of your software is up-to-date.
Back to top
Display posts from previous:   

All times are GMT - 8 Hours