Home > Guardian Error Handling System > Help > 1022

Common 404 not found errors

The following files will be requested frequently from your site.

/robots.txt

Friendly. An automated robot is asking whether it is okay to crawl your site, and if so, whether there are any paths it should stay out of.

See http://www.robotstxt.org/wc/robots.html for more information.

Recommendation: create a compliant /robots.txt file and place it on your server. Leave it empty if there are no folders that you want to protect from crawlers. Doing this will reduce your 404 error count, and doing it communicates to the robots that you are savvy. You may even get extra points in your search results ranking.


favicon.ico

Friendly. A web browser (probably Internet Explorer 5+) has bookmarked your site. This icon, if present, will be displayed in the bookmarks list.

See http://www.favicon.com/.

Recommendation: the Guardian script includes a default filter rule which handles all of these requests. Just customize the "favicon.ico" file in the "guardian/data" folder to match your site.


/MSOffice/cltreq.asp
/_vti_bin/owssvr.dll

Friendly. You're being visited by a user who has installed Microsoft Office and Internet Explorer, and who has enabled the "Discuss" toolbar in his browser. When that toolbar is enabled, the browser will automatically query for these two files when visiting each site, to determine whether the Office Server Extensions are installed.

Recommendation: do nothing. Allow the 404 errors to happen. To cut down on error reports, you may disable Guardian notification by using a custom filter rule with the "ignore: 1" action.

If you are on a Windows server, you can install Office Server Extensions (available in Office 2000) and then the /MSOffice/cltreq.asp path will contain a valid file, allowing visitors to discuss content. Wouldn't that be neat?


/_vti_bin/
/_vti_inf.html

Unknown. Front Page authors connect to executables within the /_vti_bin/ folder. Microsoft Office applications will often make test requests to /_vti_inf.html.

These requests could be due to hostile probing, but they are more likely due to legitimate users. The requests would be made if somebody viewed your web pages within Front Page or an Office document. You should not initiate counter-strikes because these patterns are too vague.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action.


/sumthin

Hostile. This is a self-propagating worm that infects Linux/Apache systems with the OpenSSL vulnerability. It is suspected to be a variant of the slapper worm. The request to /sumthin is intended to get version information from the Server: response header, not to analyze the 404 response string. Versions with the OpenSSL vulnerability are then attacked.

See also:

http://www.securityfocus.com/archive/75/313283
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

Recommendation: Review the CERT advisory and apply any needed OpenSSL patches. After doing that, ignore the reports.


formail.pl
formmail.cgi
/cgi-bin/formmail

Hostile. An aspiring spammer is searching the web for sites running old or unsecured versions of Matt Wright's formmail.

Recommendation: if you use formmail, visit http://www.scriptarchive.com/formmail.html for the latest security patches.

Otherwise, do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


/scripts/nsiislog.dll

Hostile. A probe for a buffer overrun vulnerability in the Windows 2000 IIS service.

See the CERT write-up for this vulnerability.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


default.ida

Hostile. Code Red checks for this file to exploit a buffer overflow in the IIS .ida handler. It attacks Microsoft IIS servers.

See the CERT write-up for Code Red.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


cmd.exe
root.exe

Hostile. sadmind/IIS worm. It attacks Microsoft IIS servers.

See the CERT write-up for sadmind/IIS.

Recommendation: do nothing. Allow the 404 errors to happen. You may disable email-error notification by Guardian by using a custom filter rule with the "ignore: 1" action. Current versions of Guardian include an enabled rule for this by default.


Administrators of IIS servers should frequently visit windowsupdate.com and install all service packs and patches. This will protect against the worms. If you are seeing these requests in your error log, then that means (most likely) the exploit had failed, and your system is not vulnerable. The only problem at this point is to deal with all of the automated traffic and resulting 404 errors.

For advanced options, see:


    "Common 404 not found errors"
    http://www.xav.com/scripts/guardian/help/1022.html