[ale] apache recovery

[Robert E. Karaffa, II]

Hi folks,
   Our little apache web server (Mandrake 8.0) was brought down yesterday by a 
bot, I think.  It was looking for a Windows box to infest, and not finding one, 
it instead filled up our root partition with log entries until it was full, 
thus rendering our server useless.  Here's some log entries from /var/log/http:

[Sun Sep  1 10:30:37 2002] [error] [client 66.77.73.236] File does not exist: /
var/www/html/robots.txt
[Mon Sep  2 01:03:47 2002] [error] [client 170.140.204.127] File does not 
exist: /var/www/html/robots.txt
[Mon Sep  2 07:54:01 2002] [error] [client 24.214.140.223] Invalid method in 
request /
[Sat Sep  7 17:24:30 2002] [error] [client 217.235.10.17] File does not exist: 
/var/www/html/scripts/..¿Ø../winnt/system32/cmd.exe
[Sat Sep  7 20:49:42 2002] [error] [client 212.185.249.88] File does not exist: 
/var/www/html/request/failed/index_failed.htm
[Sun Sep  8 01:04:20 2002] [error] [client 170.140.204.127] File does not 
exist: /var/www/html/robots.txt
[Sun Sep  8 08:43:25 2002] [error] [client 200.158.124.149] Client sent 
malformed Host header
[Sun Sep  8 09:08:29 2002] [error] [client 66.1.110.186] Client sent malformed 
Host header
[Sun Sep  8 12:36:39 2002] [error] [client 204.253.57.44] File does not exist: 
/var/www/html/scripts/..%5c%5c../winnt/system32/cmd.exe
[Mon Sep  9 01:06:03 2002] [error] [client 170.140.204.127] File does not 
exist: /var/www/html/robots.txt

I'm too dumb to figure out just what happened.  It DID happen over a period of 
time, not just yesterday.  So, we're trying to recover as best we can, and I've 
some questions for you gurus in ale.org land:

-I don't think we'll have to reinstall our OS...but I'm not confident of that 
quite yet.
-we used this box for ftp server, web server, and AppleShareIP server.  It 
therefore contains alot of user information that we'd like to keep.  Can 
anybody tell me how to restore the users and groups list if we do indeed re-
install?  I'm surfing the net for help, so I'd appreciate any feedback from any 
of you.

-Is it as easy as copying the passwd file and .htaccess?  Am I close?  The 
accounts that have been created over the past couple of years of use we would 
like not to lose.  The data in the accounts is not that critical, as we can 
easily back that up and restore it properly.

Here's the entry in /var/log/http/error.log that caught our attention:

[Sat Sep 14 11:14:08 2002] [error] [client 216.1.217.140] File does not exist: 
/var/www/html/galaxy_7171.7517


Anybody know what "galaxy_7171.7157" is?

Interestingly enough, last night I was doing some reading on grc.com.  The saga 
of the DoS attack by the 13-yr old script kiddie made for good reading.  Does 
it look like we were attacked by this method?  

Thanks for any help anybody can render.





-- 
-Bob K.

************************** 
Robert E. Karaffa, II 
Technical Director 
Emory University 
Flow Cytometry Core Facility 
1365 B Clifton Rd., Room B5133 
Atlanta, Ga 30322 
voice: 404/712-4429 
e-mail: rkaraff at emory.edu 
************************** 


-- 
-Bob K.

************************** 
Robert E. Karaffa, II 
Technical Director 
Emory University 
Flow Cytometry Core Facility 
1365 B Clifton Rd., Room B5133 
Atlanta, Ga 30322 
voice: 404/712-4429 
e-mail: rkaraff at emory.edu 
************************** 

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.