I immediately recognized that these URLs were probably common targets for the various HTTP vulnerability scanners that live on the net. Script kiddie or not, I'd just as soon take preventative action against these jokers. So that's where this idea of a snare came about. By making some relatively simple changes to your server configuration (httpd.conf) you can catch these people in the act and cut them off or report them. (Many address block administrators have abuse reporting addresses you can use).
Now you can try it out. Use your web browser of choice to request
You should receive an email shortly. If you don't, I suggest you check the mail log on your web server to see what happened to the message. Also check for the existence of /usr/sbin/sendmail which is hard-coded into the snare.cgi script.
From: snare@localhost To: undisclosed-recipients Date: Sat, 10 Nov 2001 20:55:04 -0800 (PST) Delivered-To: firstname.lastname@example.org Cracker infilitration attempt detected! Environment details follow. DOCUMENT_ROOT="/usr/local/apache/htdocs" GATEWAY_INTERFACE="CGI/1.1" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" QUERY_STRING="" REMOTE_ADDR="126.96.36.199" REMOTE_PORT="64475" REQUEST_METHOD="HEAD" REQUEST_URI="/piranha/secure/passwd.php3" SCRIPT_FILENAME="/www/construct/snare.cgi" SCRIPT_NAME="/piranha/secure/passwd.php3" SERVER_ADDR="188.8.131.52" SERVER_ADMIN="email@example.com" SERVER_NAME="changed to protect the innocent" SERVER_PORT="80" SERVER_PROTOCOL="HTTP/1.0" SERVER_SIGNATURE="" SERVER_SOFTWARE="Apache/1.3.20 (Unix)"
From this you can choose whether to clamp REMOTE_ADDR="184.108.40.206" from your network, notify the network administrator of that address, or whatever else you consider appropriate.
$Id: index.html,v 1.2 2003/03/07 20:10:57 mdf Exp $