Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache log format can vary, but looks like yours follows the standard Redhat Apache format:
Remotehost -- Data&Time -- First_line_of_Request -- HTTP_Status_Code -- Content_Length_of_Reply -- Referer -- User_Agent
As far as what you are seeing in the log itself, that looks like a Nimda scan. Nimda is fairly common worm that packages a number of windows exploits in an automated scan in an attempt to infect unpatched windows boxes (btw, those vulnerabilities are so old that it is ridiculous and the admin of that machine should be summarily shot). Apache is not vulnerable to any of those exploits uased by Nimda. In general, if you see the string cmd.exe it is usually a good tip off that it is a windows exploit. You can read more about Nimda here:
thank you for the help. any clue what the /var/www/html/favicon.ico is refering to?
i have double checked all of my html, and my entire /var/www/html dircotry and that .ico file picture or what ever it is does not exsist, and why would a browser be looking for something that is not in the html code to tell it to look for?
That's probably some other kind automated scan, I think I've seen that one before too. A lot of what shows up in the logs is windows exploits (I still see code red once and a while), so you shouldn't get too worried. Don't get lax though.
Distribution: Slackware 9.1,RedHat 9, Fedora Core 1, Fedora Core 2, Redhat Enterprise Linux AS v. 3, Mac OS 10.3.3
Posts: 16
Rep:
The favicon.ico thing is a normal request from most modern browsers. If you access this page with Mozilla Firefox 0.8 for instance and see the little Tux up next to the http://........ that's this sites favicon.ico. It doesn't have to be in the page anywhere for the browser to request it, they just do all by themselves. So that log entry was probably just your own Opera doing its thing.
Distribution: Slackware 9.1,RedHat 9, Fedora Core 1, Fedora Core 2, Redhat Enterprise Linux AS v. 3, Mac OS 10.3.3
Posts: 16
Rep:
In my browser, and I assume your Opera too if you point it here, up in the address bar, to the left of http://www.linuxquestions.org/........ etc. there's a little tiny picture of Tux the linux penguin. That's the favicon.ico loaded from this site.
you would of figured everyone would of patched their systems by now and that would of stoped travling the world. oh well. stupid ppl = more virus to spread around.
I know what you're saying. I even see code red sometimes, and that thing is ancient. People who have broadband connections like cable and don't patch their machines pose a pretty serious problem.
well, consider this though. Some companies have thousands of systems running, many of them breaking down all the time. They have to be reloaded, patched, hardened, and generally reconfigured by techs. many techs are lazy, or careless, and dont bother or know to install the patches. also, thousands of windows home users dont even know what code red or nimda, or even what a worm is, and probably dont even know how to use windows update to patch it. that is where the problem is
Originally posted by czarherr well, consider this though. Some companies have thousands of systems running, many of them breaking down all the time. They have to be reloaded, patched, hardened, and generally reconfigured by techs. many techs are lazy, or careless, and dont bother or know to install the patches. also, thousands of windows home users dont even know what code red or nimda, or even what a worm is, and probably dont even know how to use windows update to patch it. that is where the problem is
Well, that was exactly what I was getting at. Most of the ips that launch these attacks are from ranges that are often used by broadband services, like road runner and comcast, and if you don't patch these boxes they almost certainly will be doing something bad. You're right, if I were to ask people what nimda was, 9 out of 10 wouldn't know what I'm talking about. Now a lot of people complain about the new windows initiative to have the operating system automatically patch itself, but to tell you the truth, I think it's a good idea. Most simply refuse to patch them, so I think they should automatically be patched, without any user input. Someone I know is running a windows box without av and a firewall, downloads crap on kazaa, and then she tells me that she's never been hacked or got a virus. I'm sure. If nobody cares enough to patch their boxes, well I guess Bill is going to have to do it for them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.