Weird/worrying Apache log entries

[Rainmaker]

Hi guys,

Although I have an excellent hosting package for my main domain and mail, I have a subdomain pointed to my own machine which I use for hosting games, sftp, etc. I run Apache from home too, usually under Linux.

Since I added XP back to my desktop-cum-server, I've installed Apache on it. I'm on 24Mbps/1Mbps ADSL2+ behind a solid NAT/router with a true SPI firewall. I know enough about servers to get Apache set up and running, but I've found a few entries in the access log that are unusual/worrying (to me at least). I don't know the IPs involved (only mates are told about the server and it has a total disallow in robots.txt)...

Does anyone know what the heck these entries mean and why they're showing up as GET (some URL)? I was particularly confused by the ISC.SANS one as that's a security website lol

70.102.165.151 - - [22/Apr/2008:22:38:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226

84.179.114.251 - - [23/Apr/2008:10:32:20 +0100] "GET http://images.google.de/imghp?ie=UTF-8&oe=UTF-8&hl=de&tab=wi&q= HTTP/1.1" 404 203

125.65.112.192 - - [23/Apr/2008:17:31:49 +0100] "GET http://www.ukfinanceinfo.co.uk/prx1.php?hash=BAC4E241365A664C5751CC460050442EB98FD905EB65 HTTP/1.0" 404 206

I have quite a lot of the ukfinanceinfo.co.uk entries, and images.google.de. Why?! Sorry if this is normal and I'm being a n00b, but it didn't seem right to me. Thanks in advance for any replies

 

[dave-lew99]

Probably some script kiddie trying to do cross-site scripting vunerabilities and/or chrooted apache processes (make sure apache cannot access anything above the htdocs directory)

 

[Rainmaker]

Thanks for the swift reply, Dave. I've double checked and Apache is restricted solely to /htdocs and below, nothing above. Is there anything else I could add to tighten up security? Aside from specifying allowed IPs as that'd be a pain.

 

[Frank_Rizzo]

You won't stop those wootwoot scans - they are harmless though. The ones you need to worry about are the ones which you are not noticing.

Essential for apache is mod security. You will be amazed at the number of exploits out there and what this thing stops.

http://www.modsecurity.org/

 

[dave-lew99]

Umm nothing that i can think of really, you could restrict entire subnets if you're only accessed by the same/similar groups of people i suppose but even thats a pain.

Just make sure you don't code in any cross site scripting vun's and keep the patches etc up to date. I made the mistake of letting my wordpress install go out of date....someone managed to change the upload directory and dumped some nasty looking files on the server.

I updated to the latest version, locked the DB user to only that database without drop privaledges etc and all is ok again.

Also change the permissions on any files under htdocs that you don't want to be written by the website (almost all files apart from upload type directories usually)