> I was concerned when I saw these entries in my apache error log:
>
> [Sun May 13 12:05:09 2001] [error] [client 38.28.207.49] File does not
exist: /www/crazyguyonabike/com/htdocs/_vti_bin/shtml.exe/_vti_rpc
> (offline mode: enter name=value pairs on standard input)
>
This is from CGI.pm. CGI.pm issues this prompt when you start a script which
uses CGI.pm from the command line. So at this location a script is called
that uses CGI.pm (Embperl only uses CGI.pm when the Content-Type of the
request is multipart/formdata) and for whatever reason CGI.pm doesn't
realizeses that it is called from the http server.
> What's this offline mode stuff? Is that embperl? The file requested has
nothing to do with my system, so I can understand it not being found.
> But the offline message unnerved me.
> And here are the apache access log entries from around the same time:
>
> 38.28.207.49 - - [13/May/2001:12:05:04 -0400] "OPTIONS
/community/boards/post HTTP/1.1" 301 362
> 38.28.207.49 - - [13/May/2001:12:05:06 -0400] "GET /_vti_inf.html
HTTP/1.1" 301 2625
> 38.28.207.49 - - [13/May/2001:12:05:09 -0400] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 301 2625
> 38.28.207.49 - - [13/May/2001:12:05:11 -0400] "OPTIONS
/community/boards/post/?pics=small&tour_id=27&board_id=120&command=add
HTTP/1.1" 200 4713
> 38.28.207.49 - - [13/May/2001:12:05:12 -0400] "GET
/community/boards/post/?pics=small&tour_id=27&board_id=120&command=add
HTTP/1.1" 200 4713
>
Is is a typical sequence that shows up when you try to open a page with MS
Webfolders or MSWord 2000.
> I have to admit, I have never seen an HTTP command named "OPTIONS".
The OPTIONS gives information about what your webserver supports. In this
case MSxxx what's to know if you webserver supports webdav (a protocol for
writing on the webserver), since you doesn't seem to support it, it looks
for MS FrontPage Server extentions (everything starting with _vti_ if
FrontPage), after both isn't found it issuses a normal GET request.
> The weird thing is, these entries do seem to correspond to a real message
which has been posted on my message board.
> Has anyone else seen this kind of thing?
> Any clues on whether I should be worried? Tripwire didn't pick up any
intrusion, but I am still curious,
> both about that "offline mode" thing and the OPTIONS command.
>
I don't think there is much to worry about. I guess somebody has opend your
page with MS Word. The only interesting thing for me, would be why CGI.pm
think it's started form the command line
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
