LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-26-2004, 05:03 AM   #1
hoedad
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Rep: Reputation: 0
suspicious log activity


This type of activity has been showing up on my apache log, by the hundreds (300+ such episodes a day) a day. What does it mean? Seems someone is hijacking the server to try to logon to Yahoo Messenger, or am I just being paranoid?

This board won't let me post the actual log as it contains URLs and I'm a newbie here, but the URLs (preceded by GET the full URL) lead to a failed Yahoo Messenger login page.

Any thoughts?

Last edited by hoedad; 07-26-2004 at 05:04 AM.
 
Old 07-26-2004, 08:02 AM   #2
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 234Reputation: 234Reputation: 234
You'll need to post them up.. to get around the URL's just simply take out the http:// or www. portions, etc.
 
Old 07-26-2004, 08:28 AM   #3
hoedad
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Original Poster
Rep: Reputation: 0
I'll give it a try. Here are 3 samples from over 300 in yesterday's log. http// has been deleted in the following:

GET
login.india.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.don e=http://jpager.yahoo.com/jpager/pager2.shtml&login=gabe__p&passwd=allegro HTTP/1.0 with response code(s) 404
GET w4.edit.tpe.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.don e=http://jpager.yahoo.com/jpager/pager2.shtml&login=fine__thang43f&passwd=abby HTTP/1.0 with response code(s) 404
GET e8.edit.cnb.yahoo.com/config/login?.yplus=&.partner=&login=totalbitch&passwd='123 (123) HTTP/1.0 with response code(s) 404

Last edited by hoedad; 07-26-2004 at 08:29 AM.
 
Old 07-26-2004, 08:33 AM   #4
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 234Reputation: 234Reputation: 234
As long as their not logging into your site with the apparent login credentials they are trying, no worries really. Probably and mainly just a virus or such that is used against IIS servers..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspicious hard drive activity machinemanagement Red Hat 4 08-25-2005 04:28 PM
suspicious entry in /var/log/auth.log buehler Linux - Security 5 04-27-2005 06:11 PM
Suspicious looking Apache log entries linuxpyro Linux - Security 4 04-25-2004 03:54 PM
suspicious port and last log entry sopiaz57 Linux - Security 3 06-08-2003 07:48 PM
Stopping suspicious ICMP activity tarballedtux Linux - Security 1 02-03-2002 08:11 PM


All times are GMT -5. The time now is 10:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration