LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-11-2005, 03:05 PM   #1
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Rep: Reputation: 30
spike in 401, 402, and 403 apache log entries.


For the past several weeks, my httpd logs (as reported by logwatch) have seen a huge 5000% upswing in 401, 403, and 404 entries. Most of them seem associated with login url's (see below). At first I thought it was just some errant search spider and checked and rechecked my robots.txt files (for some reason these are reported not found) Some of this software has never been installed on my server.

Today I noticed a log with an apparent web vulnerability scanner:

400 Bad Request /: 1 Time(s) /w00tw00t.at.ISC.SANS.DFind: 1
according to http://isc.sans.org/diary.php?storyid=900

Is this the Lupper Worm discussed at this thread
http://www.linuxquestions.org/questi...d.php?t=381248
or is it a separate problem?

My logs are as follows:
401 Unauthorized
/?%22Vocal_Arrangement%22_from_Edweek.org&login: 1 Time(s)
/?&login: 15 Time(s)
/?Animation&login: 2 Time(s)
(24 other similar itterations omitted for brevity.

/?Who_We_Are&login: 4 Time(s)
/files: 2 Time(s)
/files/: 2 Time(s)
/files2: 1 Time(s)
/files2/: 1 Time(s)
/index.php?name=Members_List: 1 Time(s)
/usage/vh06: 1 Time(s)
403 Forbidden
/files/: 2 Time(s)
/files2/: 13 Time(s)
/files2/webadmin.php: 1 Time(s)
/plans/theme/: 1 Time(s)
/slide/?directory=upload&currentPic=15: 1 Time(s)
404 Not Found
/%20%20%20Dec%2023,%202004: 2 Time(s)
/UPLOAD/index.php: 1 Time(s)
/UPLOAD/index.php?action=view&filename=temp.jpg&directory=&: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/backend.php: 1 Time(s)
/blog/xmlrpc.php: 1 Time(s)
/blog/xmlsrv/xmlrpc.php: 1 Time(s)
/blogs/xmlsrv/xmlrpc.php: 1 Time(s)
/cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/backend.php: 1 Time(s)
/blog/xmlrpc.php: 1 Time(s)
/drupal/xmlrpc.php: 1 Time(s)

/favicon.ico: 93 Time(s)
/files3/qtof.php: 1 Time(s)
/files3/qtofm.php: 1 Time(s)
/files9/: 1 Time(s)
/images/css.gif: 1 Time(s)
/images/html401.gif: 1 Time(s)
/mrcstudio.com/images/bannerkargermrcookie.gif: 2 Time(s)
/phpgroupware/xmlrpc.php: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=1: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=2: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=2&add_edit_cal_action=add: 1

(15 similar iterations to the above omitted)

/robots.txt: 26 Time(s)
/slide/phpslideshow.php?directory=photomanager: 2 Time(s)
/sumthin: 1 Time(s)
/templates/black/flowHeaderBG2.jpg: 1 Time(s)
/templates/black/flowNavBG.jpg: 1 Time(s)
/templates/black/images/middle_bg.jpg: 1 Time(s)
/templates/green/menu/doc.gif: 10 Time(s)
/templates/greennews/menu/doc.gif: 6 Time(s)
/ultramode.txt: 1 Time(s)
/webadmin.php: 1 Time(s)
/wordpress/xmlrpc.php: 1 Time(s)
/xmlrpc.php: 2 Time(s)
/xmlrpc/xmlrpc.php: 1 Time(s)
/xmlsrv/xmlrpc.php: 1 Time(s)

Last edited by rioguia; 12-11-2005 at 03:07 PM.
 
Old 12-11-2005, 07:53 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
For the past several weeks, my httpd logs (as reported by logwatch) have seen a huge 5000% upswing in 401, 403, and 404 entries.
Are these from relatively random IP addresses or from a single host or domain?


400 Bad Request /: 1 Time(s) /w00tw00t.at.ISC.SANS.DFind: 1 according to http://isc.sans.org/diary.php?storyid=900 Is this the Lupper Worm discussed at this thread http://www.linuxquestions.org/questi...d.php?t=381248 or is it a separate problem?
No, it's not lupper, but if you look at the advisory you'll see it's a vulnerability scanner. However, some of the URLs that you posted below that do look like lupper (the xmlrpc.php, drupal, and awstats stuff). Not sure what a few of the other things are, several look like attempts to proxy (like the edweek.org and mrcstudio.com) though I can't tell without seeing the entire Apache error message. You also hav a few other random scanners mixed in, like the /sumthin banner-grabber.

As long as you are getting 4xx codes for those requests and either don't have any of that software installed (PHP, awstats, drupal) or have it all kept updated with security patches, then you should be alright. You may want to think about banning any IPs that repeatedly try to abuse the server and you might also want to look into mod_security.

You also said you had a massive increase in log entries. How many of these are login attempts? Do you even do any authentication, like htaccess or basic auth on this server? If so, do the login attempts look like a bruteforce attempt.

Also you might want to take a look at the Apache logs directly rather than the logwatch summary.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get rid of annoying MS worm log entries in Apache 320mb Linux - Security 1 10-17-2004 11:49 PM
Suspicious looking Apache log entries linuxpyro Linux - Security 4 04-25-2004 02:54 PM
Apache 401 The web site is blocked by administrator jkruer01 Linux - Software 8 04-14-2004 04:08 PM
apache error log entries synaptical Linux - Security 3 01-26-2004 01:28 AM
401 ErrorDocument with Apache c0c0deuz Linux - General 3 11-17-2002 07:43 AM


All times are GMT -5. The time now is 01:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration