Server log

ramecare · 03-30-2012, 03:04 AM

Dear all,

In my server iam the below log in /var/log/messages and i doubt that some unautherized user is accessing my server and can any one give explain about the below log

/var/log/messages

Mar 29 18:21:33 p2234270 zmeu: gethostby*.getanswer: asked for "ip134.67-202-114.static.steadfast.net IN A", got type "39"
Mar 29 18:21:33 p2234270 zmeu: gethostby*.getanswer: asked for "ip52.67-202-124.static.steadfast.net IN A", got type "39"

In /var/log/httpd/access_log

207.44.254.242 - - [30/Mar/2012:02:48:36 -0500] "GET /cs/Satellite/index.html HTTP/1.0" 403 302 "-" "-"
207.44.254.242 - - [30/Mar/2012:02:51:05 -0500] "GET /.ba/ba.php HTTP/1.0" 403 298 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:42 -0500] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 403 255 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:42 -0500] "GET //pHpMyAdMiN/scripts/setup.php HTTP/1.1" 403 255 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:42 -0500] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 403 253 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:42 -0500] "GET //phpMyAdmin1/scripts/setup.php HTTP/1.1" 403 255 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //phpmy/scripts/setup.php HTTP/1.1" 403 250 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 251 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //dbadmin/scripts/setup.php HTTP/1.1" 403 252 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //MySQLAdmin/scripts/setup.php HTTP/1.1" 403 256 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //SQL/scripts/setup.php HTTP/1.1" 403 250 "-" "-"
127.0.0.1 - - [30/Mar/2012:02:03:43 -0500] "GET //web/phpmyadmin/scripts/setup.php HTTP/1.1" 403 257 "-" "-"
::1 - - [30/Mar/2012:02:03:44 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [30/Mar/2012:02:03:45 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [30/Mar/2012:02:03:46 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)
66.150.14.182 - - [30/Mar/2012:01:54:40 -0500] "GET /ATutor/content/paypallogin/de/webscr.htm?cmd=SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp =&pa2=&errmsg=&runameMessage-ID: HTTP/1.1" 403 319 "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows NT)"
99.41.69.231 - - [30/Mar/2012:02:46:35 -0500] "GET /.ii/ii.php HTTP/1.1" 403 299 "-" "curl/7.18.0 (x86_64-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1"
207.44.254.242 - - [30/Mar/2012:02:48:36 -0500] "GET /cs/Satellite/index.html HTTP/1.0" 403 302 "-" "-"
207.44.254.242 - - [30/Mar/2012:02:51:05 -0500] "GET /.ba/ba.php HTTP/1.0" 403 298 "-" "-"
61.139.105.164 - - [30/Mar/2012:03:06:14 -0500] "GET http://proxyjudge3.proxyfire.net/fastenv HTTP/1.1" 403 299 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 403 250 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpMyAdmin1/scripts/setup.php HTTP/1.1" 403 251 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpMyAdmin2/scripts/setup.php HTTP/1.1" 403 251 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpadmin/scripts/setup.php HTTP/1.1" 403 248 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpmy/scripts/setup.php HTTP/1.1" 403 246 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 246 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //pma/scripts/setup.php HTTP/1.1" 403 245 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //phpAdmin/scripts/setup.php HTTP/1.1" 403 248 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //dbadmin/scripts/setup.php HTTP/1.1" 403 248 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //MySQLAdmin/scripts/setup.php HTTP/1.1" 403 252 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 403 249 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //sql/scripts/setup.php HTTP/1.1" 403 246 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //SQL/scripts/setup.php HTTP/1.1" 403 246 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //web/phpmyadmin/scripts/setup.php HTTP/1.1" 403 253 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //dbg/scripts/setup.php HTTP/1.1" 403 246 "-" "-"
127.0.0.1 - - [30/Mar/2012:03:10:33 -0500] "GET //libs/scripts/setup.php HTTP/1.1" 403 246 "-" "-"
::1 - - [30/Mar/2012:03:10:34 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [30/Mar/2012:03:10:35 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"
::1 - - [30/Mar/2012:03:10:36 -0500] "OPTIONS * HTTP/1.0" 403 297 "-" "Apache/2.2.3 (CentOS) (internal dummy connection)"[/COLOR]

In my server I have not installed php and phpmyadmin but some body is accessing my server with phpmyadmin and can anyone explain for the above access_log and messages log

Thanks,

TenTenths · 03-30-2012, 03:27 AM

All this kind of stuff is standard in the log files for anyone running a public facing web server, the internet if full of little skript kiddiez trying to exploit servers.

Failed access attempts since Monday on my main server:

Code:

# grep "Failed password" /var/log/secure | wc -l
28260

colucix · 03-30-2012, 03:47 AM

Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.

ramecare · 03-30-2012, 03:53 AM

I cannot understand can u pls explain

Thanks,

acid_kewpie · 03-30-2012, 04:23 AM

There's nothing to explain. it's just noise from trojans on other machines etc. keep your system secure and just laugh at them.

ramecare · 03-30-2012, 04:28 AM

How virus can enter into the server ?

acid_kewpie · 03-30-2012, 04:33 AM

huh? where did anyone say there was a virus on your server?

Noway2 · 03-30-2012, 08:04 AM

For the most part those entries are simply records of what was asked for from your server. When someone makes a connection, they typically use the HTTP GET method. There are other commands in HTTP such as OPTIONS, PUT, and HEAD. Notice that you have an entry trying to use the OPTIONS command too. One of the key pieces of information in the log entry is the response code, which follows the request. In most of your example entries, the code is 403, which means Forbidden.

Trying to access PhpMyAdmin is very common and there are undoubtedly many automated scripts and worms looking for sites that allow it to face the public so that they can try to exploit it. To give you an example, here is a snippet from one of my servers:
[/code]
58.30.6.85 - - [21/Mar/2012:15:11:22 -0400] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224
58.30.6.85 - - [21/Mar/2012:15:11:25 -0400] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 224
58.30.6.85 - - [21/Mar/2012:15:11:26 -0400] "GET /phpMyAdmin/index.php HTTP/1.1" 404 218
58.30.6.85 - - [21/Mar/2012:15:11:27 -0400] "GET /phpmyadmin/index.php HTTP/1.1" 404 218
58.30.6.85 - - [21/Mar/2012:15:11:27 -0400] "GET /phpmyadmin1/index.php HTTP/1.1" 404 219
211.68.122.12 - - [29/Mar/2012:15:46:56 -0400] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224
211.68.122.12 - - [29/Mar/2012:15:47:06 -0400] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 224
211.68.122.12 - - [29/Mar/2012:15:47:09 -0400] "GET /phpMyAdmin/index.php HTTP/1.1" 404 218
[/code]

**From your logs, there are two things that are slightly troubling to me, at least to where I would recommend looking for them. One, the fact that the access is coming from 127.0.0.1. This means that something is executing on THAT MACHINE and is trying to access the myadmin site. Two, the fact that you are returning a 403 error code, which means forbidden instead of 404 - Not Found, when you say that you do not have PhpMyAdmin installed. I would suggest that you determine what is executing on that machine or is using it for a proxy and trying to access it, and two verify that it is not installed and confirm that 403-Forbidden is the intended response code. The event logs seem to indicate that it is installed on the server and someone has taken steps to protect the resource.

ramecare · 03-30-2012, 08:56 AM

Fist php and phpmyadmin was installed on that server and after seeing the log in uninstalled php and removed phpmyadmin

Thanks,