What the HECK is this?

ericzollman · - Joined: 30 Sep 2004 Posts: 8 Location: Indiana, USA

This line keeps coming up in my access log about every 5 or 6 seconds!!!!. And my server is reciving a BUNCH of bunk hits.,

218.48.165.59 - - [30/Sep/2004:17:20:52 -0700] "OPTIONS / HTTP/1.1" 403 223

What does this line mean? I don't understand it. Why does it say OPTIONS instead of saying GET like other lines., I Understand the GET lines because they also state what the user was getting... These OPTION lines are just freaky! It's got me thinking somebody is trying to either hack my site, or attack me with a DOS attack or someting., Any info would be great...

I have shut down my server untill I understand what this is and how to stop it. Please help...
_________________
-Eric Zollman
http://infinity.r8.org
http://stoic.r8.org

Foxified · - Joined: 13 Apr 2004 Posts: 487 Location: Canada

mg66 · - Joined: 15 Aug 2004 Posts: 85 Location: USA, Illinois

I would just block the IP. Abyss beta has IP blocking or block it at your firewall.
_________________
mg66

http://sv650.metromain.net
http://photography.metromain.net
http://weather.metromain.net
http://www.metromain.net
http://www.bghi.us

Abyss Web Server X2

ericzollman · - Joined: 30 Sep 2004 Posts: 8 Location: Indiana, USA

Yea I was running version 1.2 when I noticed the problem. The Beta is not posted on the main site. You have to be a user of the forum to get the download from what I see... But the IP is blocked now.
_________________
-Eric Zollman
http://infinity.r8.org
http://stoic.r8.org

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

Just another IIS vulnerability scan. Not using IIS, so no need to worry...

TRUSTAbyss · - Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA

You might want to actually do like a DNS lookup on your website and check
your log when your done , that could be the problem like Foxified was saying.

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

It isn't a DNS lookup which would be on port 53 anyway, nothing to do with the HTTP protocol. The Options is an alternative to POST or GET, as I said, likely to be a vulnerability scan for either IIS and Apache.

TRUSTAbyss · - Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA

Aprelium should add a feature to reject the OPTIONS method if thats the
case because I never heard of that method in my life , now I know lol.

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

The OPTIONS method is defined in the RFC for HTTP :

http://www.ietf.org/rfc/rfc2068.txt

It is an optional feature to support, only POST and GET are required to comply with the HTTP standard in a server, but if it is not supported, there is no need for a reject option - you can see from the log the server is already returning 403/Forbidden... If it is totally unsupported it should be returning a 405 rather than 403 error I believe, but either way the result is the same - the request has no result or effect on the performance/security of Abyss.

ericzollman · - Joined: 30 Sep 2004 Posts: 8 Location: Indiana, USA

Thanx for the info everybody. I have upgraded to 2.0 Beta and blocked the IP. My only real concern was the performance of my server. I'm just runninf on a 4 Mbps connection, and the hits from that IP address with the OPTION line where coming in every 2 seconds for hours at a time! I thought it might just slow shit down hitting the server so much..,

Anyway thanx again for all the help.
_________________
-Eric Zollman
http://infinity.r8.org
http://stoic.r8.org