Every now and then we get bored and look through our Apache access and error logs. Curious to see some of the things we've found?
Who got copies of the book first?
If we assume that only folks who own a copy of the book have found the necessary password information to properly authenticate and view the sourcecode we have available here, then the first people to get a copy came from the following areas cronologically:
What browsers are folks using?
This is the Hacking Linux Exposed website, right? Presumably folks are interested in Linux security. I'd hope that some of these folks were using systems that were, well, secure. Heck, I'd prefer Linux. But seems that reality is much different.
Not counting our own hits, here's the breakdown of the top user agents for the first month of this website:
58.17% MSIE 5 26.22% Mozilla/4 5.80% Mozilla/5 2.58% MSIE 4 2.25% (assorted search engine spiders) 1.04% Konqueror/2 1.03% MSIE 6 0.80% Wget/1.5.3
And the operating system breakdown is as follows:
73.12% Windows 18.30% Unix variant 3.63% Macintosh 2.80% (undefined) 2.25% (assorted search engine spiders)
So it seems that most people that are interested in security are sitting on Windows desktops. How paradoxical.
Amusing error logs
Some folks are obviously annoyed that we don't have directory listings available on the server, and try to get around it with some of the following attempts:
GET /sourcecode/r/. GET /sourcecode/r/1/* GET /sourcecode/r/3/revealing.txt.bak GET /sourcecode/r/5/lilo.conf.* GET /sourcecode/r/10/evil.suid.c.orig
At least they used wget, rather than a browser, to make the attempts. That earns them a bit above script kiddie.
Sorry. We don't have any CGIs on this site. No mod_perl, no embed perl, certainly no ASP. All our content was written with WML in vim, synced off a CVS repository. But that doesn't stop folks that want to find programs anyway, or break out of the web root. Boring attempts include:
But then there were those who launched automated scans at us, requesting the following pages amongst many others:
Well this looks like a straight-forward Whisker scan. The only confusing bit being this: Whisker is a smart CGI scanner -- it doesn't bother looking for NT things if the machine doesn't look like an NT box. Some of the hits included:
These are all specifically tagged by Whisker as Windows-specific
programs. Thus they shouldn't have been tried. (Unless the
31337 h4x0r used the
So why do we still think it was a Whisker-based scan? It still tries them in the same order Whisker generally uses. So it looks like someone may have taken a great program and has removed all that made it superior to other scanners and turned it back into a generic brute-force tool. How sad.