LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-07-2007, 01:23 AM   #1
shanya
LQ Newbie
 
Registered: May 2007
Distribution: redhat,CentOS
Posts: 4

Rep: Reputation: 0
Unhappy hacker attack my webserver?


first thing,thanks for win32sux.
the mod_security2 is ok.

in my apache access logs.I am find under logs.

what means this?attack?


71.92.67.11 - - [03/Aug/2007:04:32:34 +0800] "GET / HTTP/1.1" 200 1456
68.102.148.23 - - [03/Aug/2007:04:48:45 +0800] "GET / HTTP/1.1" 200 1456
219.89.195.22 - - [03/Aug/2007:04:53:38 +0800] "GET / HTTP/1.1" 200 1456
172.192.252.178 - - [03/Aug/2007:04:56:42 +0800] "GET / HTTP/1.1" 200 1456
72.243.145.31 - - [03/Aug/2007:05:01:00 +0800] "GET / HTTP/1.1" 200 1456
67.132.13.146 - - [03/Aug/2007:05:04:49 +0800] "GET / HTTP/1.1" 200 1456
116.121.107.198 - - [03/Aug/2007:05:19:48 +0800] "GET / HTTP/1.1" 200 1456
..................
68.189.6.27 - - [03/Aug/2007:16:05:06 +0800] "GET / HTTP/1.1" 200 437
220.226.233.188 - - [03/Aug/2007:16:06:08 +0800] "GET / HTTP/1.1" 200 437
72.161.44.253 - - [03/Aug/2007:16:06:12 +0800] "GET / HTTP/1.1" 200 437
221.169.244.153 - - [03/Aug/2007:16:10:12 +0800] "GET / HTTP/1.1" 200 437
.................
57.250.245.249 - - [03/Sep/2007:06:58:32 +0800] "GET / HTTP/1.1" 200 97
86.0.51.82 - - [03/Sep/2007:07:01:19 +0800] "GET / HTTP/1.1" 200 97
207.235.120.172 - - [03/Sep/2007:07:02:03 +0800] "GET / HTTP/1.1" 200 97
142.177.25.185 - - [03/Sep/2007:07:02:15 +0800] "GET / HTTP/1.1" 200 97
205.158.116.232 - - [03/Sep/2007:07:02:42 +0800] "GET / HTTP/1.1" 200 97
210.83.227.5 - - [05/Sep/2007:02:37:47 +0800] "GET /NULL.printer HTTP/1.0 " 404
291
210.83.227.5 - - [05/Sep/2007:02:37:50 +0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb뢐�矮
000莋䂋դŐ邐=x&\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\t\x90\x90\x90_\xeb
....................

212.72.162.197 - - [04/Aug/2007:19:53:53 +0800] "POST /xmlrpc.php HTTP/1.1" 404
286
212.72.162.197 - - [04/Aug/2007:19:53:55 +0800] "POST /blog/xmlrpc.php HTTP/1.1"
404 291
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blogs/xmlsrv/xmlrpc.php H
TTP/1.1" 404 299
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blog/xmlsrv/xmlrpc.php HT
TP/1.1" 404 298
212.72.162.197 - - [04/Aug/2007:19:54:03 +0800] "POST /drupal/xmlrpc.php HTTP/1.
1" 404 293

Last edited by shanya; 09-07-2007 at 01:26 AM.
 
Old 09-07-2007, 03:59 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by shanya View Post
Code:
210.83.227.5 - - [05/Sep/2007:02:37:47 +0800] "GET /NULL.printer HTTP/1.0 " 404 
291
210.83.227.5 - - [05/Sep/2007:02:37:50 +0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb뢐�矮
000莋”䂋դŐ邐=x&\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\t\x90\x90\x90_\xeb
This IP has tried a Microsoft IIS buffer overflow exploit on your server.

It's actually a pretty common sight.

Last edited by win32sux; 09-07-2007 at 05:39 PM. Reason: Added Wikipedia link.
 
Old 09-07-2007, 08:04 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by shanya View Post
first thing,thanks for win32sux.
the mod_security2 is ok.

212.72.162.197 - - [04/Aug/2007:19:53:53 +0800] "POST /xmlrpc.php HTTP/1.1" 404
286
212.72.162.197 - - [04/Aug/2007:19:53:55 +0800] "POST /blog/xmlrpc.php HTTP/1.1"
404 291
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blogs/xmlsrv/xmlrpc.php H
TTP/1.1" 404 299
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blog/xmlsrv/xmlrpc.php HT
TP/1.1" 404 298
212.72.162.197 - - [04/Aug/2007:19:54:03 +0800] "POST /drupal/xmlrpc.php HTTP/1.
1" 404 293
The above is a lupper-style attack (see http://vil.nai.com/vil/content/v_136821.htm for a description, variants...). These are also common, but affects sites that serve dynamic content. Unless you run a site with a PHP backend, this traffic shouldn't warrant concern, IMO. In my case, I tell modsecurity to respond to requests for PHP content with a 404 HTTP code.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Suspected Weekend Hacker Attack on Ubuntu LXer Syndicated Linux News 0 07-23-2006 12:21 PM
Apparent hacker Attack lenlutz Linux - Security 2 10-14-2005 08:10 AM
Hacker attack carrion Linux - Security 11 08-23-2004 02:03 PM
hacker attack? firestomper41 Mandriva 8 05-09-2004 04:35 PM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM


All times are GMT -5. The time now is 02:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration