red herring security alert emails? :: Archived

lanmonkey · Nice poster Offline Joined: Aug 21, 2006 Posts: 64

I have edited my error.php file to send me emails whenever someone tries to access a blocked folder or file etc. but since then I keep getting lots of emails (about 150 a day) that look like this:

Code::

Error Code:	404 (File does not exist: 
/home/*******/public_html/coppermine/displayimage/album=7/favicon.ico)
Occurred:	Mon Feb 12 12:13:35 GMT 2007
Requested URL:	/coppermine/displayimage/album=7/favicon.ico

and

Code::

Error Code:	404 (File does not exist: 
/home/*******/public_html/coppermine/thumbnails/favicon.ico)
Occurred:	Mon Feb 12 12:13:34 GMT 2007
Requested URL:	/coppermine/thumbnails/favicon.ico

and

Code::

Error Code:	404 (File does not exist: 
/home/*******/public_html/Downloads/details/favicon.ico)
Occurred:	Mon Feb 12 12:20:27 GMT 2007
Requested URL:	/Downloads/details/favicon.ico

I think you get the idea. all the IP addresses in question appear to be from genuin users of the site. its appears that the users brownser is being dircted to look for "favicon.ico" in folders where it doesnt exist.

any ideas?

lanmonkey · Nice poster Offline Joined: Aug 21, 2006 Posts: 64

aditionally I also get plenty email alerts that look like the following:

Code::

Error Code:	403 (Directory index forbidden by rule: 
/home/*******/public_html/images/avatars/)
Occurred:	Mon Feb 12 11:58:46 GMT 2007
Requested URL:	/images/avatars/

again the ip addresses apper genuine.

DJ Maze

Could not find server aim2play.org

Beldak

The favicon.ico error spam happens to me also, I had to edit header.php and add BASEHREF to get them to stop.

It looked like the base dir isn't getting set correctly on some modules.

Code::

	if (file_exists($BASEHREF.'themes/'.$CPG_SESS['theme'].'/images/favicon.ico')) {
		$header .= '<link rel="shortcut icon" href="'.$BASEHREF.'themes/'.$CPG_SESS['theme'].'/images/favicon.ico" type="image/x-icon" />'."\n";
	} else if (file_exists('favicon.ico')) {
		$header .= '<link rel="shortcut icon" href="'.$BASEHREF.'favicon.ico" type="image/x-icon" />'."\n";
	}

The 403 avatar error is from having an empty avatar field but having avatar type set to say they have one. Did you upgrade from like a nuke site? If so, might need to go through db and do some cleanup.

Phoenix

hmm, error.php has its uses, but permanently on, you are equally at risk of having your mail server overloaded by malicious, frequent attacks on non-existent files/directories (been there, done that).

An alternative is to just log them, and check your log from time to time.

bart2

Beldak wrote:

The favicon.ico error spam happens to me also, I had to edit header.php and add BASEHREF to get them to stop.

Spam? I guess you just mean frequent and unwanted alerts.

To handle predictable and innocuous 404s like this, you might consider editing error.php, placing a conditional around this line

Code::

mail($notify, "[ $sitename Error: 404 ]", $message, "From: $notifyfrom");

if (!eregi('favicon', $client['request'])) {
or
if (!eregi('avatar', $client['request'])) {

or explode() a comma-delimited string which contains the various "don't bother me about these" patterns and loop through the elements as a send-mail-or-not check

Beldak

Actually I don't have the stuff emailed to me, but it "spams" up my error log Wink

But that's a good tip with the !eregi matches