LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-10-2009, 11:26 AM   #1
strelok
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Rep: Reputation: 0
Strange log entries in apache log under debian... hacking tentative ?


Hi,

I'm running a small ecommerce webserver on a debian linux. I'm constantly watching the apache logs using a command like:
tail -f /var/log/apache/*.log | grep --line-buffered -v "[myip]"

(the grep is so I don't see myself navigating on the server).

I just saw something very disturbing in the log :

75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot [FILE LIST OF MY /home/admin] please read http://www.taptu.com/corp/taptubot ***"
75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot [FILE LIST OF MY /home/admin] please read http://www.taptu.com/corp/taptubot ***"


On my tail log, the [FILE LIST OF MY /home/admin] I printed here was a complete 'ls' of my /home/admin directory!
I precise that the webserver root is somewhere else, in another /home subdirectory.

There is something even more strange. The [FILE LIST] only appears on the tail on my terminal. I tried a
grep "75.101.250.129" /var/log/apache2/access.log
And here is what was recorded in the log:

/var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot *** please read http://www.taptu.com/corp/taptubot ***"
/var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot *** please read http://www.taptu.com/corp/taptubot ***"


How is it possible that the lines differ? How could the attacker print the file list of another subdirectory? Can the attacker have had access to anything on my server?

I'm really worried...

Thanks,
Strelok
 
Old 11-10-2009, 09:18 PM   #2
AsusDave
Member
 
Registered: Jul 2008
Distribution: Debian, Ubuntu 10.04
Posts: 151

Rep: Reputation: 34
Follow the link to taptu you have drawn from your log. They explain what they are doing. I would look over my robots.txt file to see what is contained there. It may need some adjustment.

HTH
Dave
 
Old 11-11-2009, 04:10 AM   #3
strelok
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Well, of course I followed the link, they just say they are a spider from "taptu.com".

I tried blocking the robot with robots.txt, but it still tries these 2 lines (of course, you need to read robots.txt to know robots.txt wants to block you).

But how is it that my /home/admin contents are displayed in the log tail -f ? And not in the Log ?

Is it a deliberate attempt to hack my server, or is it a weird side-effect that translates the "***" into my /home/admin contents in the tail -f display ?

I really don't understand why this would be happening...
 
Old 11-11-2009, 05:08 AM   #4
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,591

Rep: Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244
Quote:
Originally Posted by strelok View Post
Is it a deliberate attempt to hack my server, or is it a weird side-effect that translates the "***" into my /home/admin contents in the tail -f display ?
I think your second explanation is what happened.
Were you in /home/admin when you were running the tail -f?
You can see what happens in the following:
Code:
cd /home/admin
echo ***
It lists your home dir.

what happens if you:

cat /var/log/relevantfile | grep --line-buffered -v "[myip]"

I think with a little experimentation you could reproduce what you saw.

HTH,

Evo2.
 
Old 11-11-2009, 07:55 AM   #5
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by strelok View Post

I really don't understand why this would be happening...
If /home/admin is your web server directory (where the web files reside) then it is looks valid. The robots.txt file thats listed shows that it is following the standard for indexing.

If that is the case then it looks like they are just doing a standard index of the folder.

Is it showing files permissions and everything or just a list of the files?


If it is not your web server page directory. Then you may want to be concerned.

The CERT Intrusion Checklist is located here which I am including incase its the ladder of the two.


*edit*
After looking at it a little more it does look valid.

Try creating the robots.txt file in your web root directory and inserting the following code. You should be it stop almost instantly

Code:
User-agent: *
Disallow: /
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 05:13 PM
Strange log entries crashsystems Linux - Hardware 4 07-27-2006 04:43 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 02:21 PM
Strange System Log entries DigiDave Linux - Newbie 5 03-22-2004 02:14 PM
Strange log entries. forand Linux - Security 7 03-25-2003 04:20 AM


All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration