Reading the Runes

Understanding web-server log files errors.

Every month, I generate a traffic report to see who is visiting my website, what areas they go to, and so on. And every month, no matter what I do, there are always a high number of faults recorded. I'm going to take a quick look at some of the more common faulty entries you might see on a typical webserver, and discuss the implications of the interesting ones.

Do not take this as a guide to what is a good thing to see in your logs and what is a bad thing to see in your logs. The best time to learn to recognise faults this way is to get to know your system's "typical" behaviour before any problems occur, so that you can spot any changes away from this normal behaviour and identify why they happened.

Please remember that all of these hits are errors. If you run a report on your website and can see a large amount of errors being generated then it could mean any number of things. It could mean your server is under attack, or it could mean someone has made a simple mistake while typing in a link to something on your site. More worrying is if you don't see something dodgy in your error logs because attempts to access it are successful. The attempts to access my webserver's command prompt below might be a little worrying, but how much more worrying would it be to see a link to that show up in my list of most visited (successful) hits?

The most popular one there is robots.txt. This is a file in the root of your domain that all good web spiders should check upon visiting a site in order to see what the website owner wants to allow them access to. This is typically used to tell search engines what parts of a site they can and cannot index. While it is considered very bad form to ignore this file, there is no way to force web spiders to obey it, it is quite possible for someone ignorant or malicious to completely ignore this file.

The next interesting one I want to mention is index.html. Now almost everyone knows what that means, and will probably have noticed that I use it, so why is it shown as an error here? Well not every folder on my site contains one of these files, so anyone blundering into a folder that doesn't contain an index.html file (or other suitable default) will get an error message. If this happens to you then consider adding an index.html file to every folder that doesn't already have a default page, with a redirection back to your website's homepage.

Next up, gmailomatic.php. I assume everyone knows what gmail is? Back in the prehistoric days when gmail invites were rare enough that people still wanted one, but not so rare that some people could not find any to spare, a few people came up with the idea of running an automated service to match inviters up with invitees. The name of the php script/page that does the work...? You guessed it! Quite why people are hitting my site looking for this page I do not know, but I suspect its nothing good.

prxjdg.cgi? No, I'm not running a "Proxy Judge" script on my website, never have done, and I'm not sure why people think I am. If you're looking for a running example of the script try this.

Next up, some good old-fashioned Microsoft technology. If you see hits for cltreq.asp and/or owssvr.dll in your logs then these are people looking to see if you're running the Microsoft Office discussions software that enabled visitors to a website to discuss the content of a page with each other while viewing the page. Kinda like a fore-runner to commenting in blogs I suppose.

Moving on, we come to an old classic. Quite a few people each month like to see if they can access your Windows-based webserver's command prompt, and go searching for cmd.exe. Some people get quite inventive in their attempts to find it too:

/scripts/..|../winnt/system32/cmd.exe,
/msadc/..|../..|../..|../winnt/system32/cmd.exe,
/PBServer/..|..|..|winnt/system32/cmd.exe,
/Rpc/..|..|..|winnt/system32/cmd.exe,
/msaDC/..|..|..|..|winnt/system32/cmd.exe,
/_vti_bin/..|..|..|..|..|../winnt/system32/cmd.exe

All attempts to access a Windows command prompt, all failed.

I'm not the only one diving into their error logs, it seems. Roger Johansson has been doing the same, with some equally interesting results.

[Discuss this in the security forum]

Top