What do these httpd log file entries mean?
I have noticed some strange activity on my web server's log file, every time I started it.
Code:
94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223 Thank you. |
mitusf,
Just from the locations of the IP Addresses, I'd say that is exactly what the problem is. It appears as if you need to setup some IP Firewall Rules (IPFW) Rules or install Fail2Ban to block those type of hacking attempts. What ports are open on your Router to the WAN? Have you scanned with nmap to verify the Open Ports on your Router, Server, Clients? That is where I'd suggest starting. ie. nmap -sS 192.168.0.4 You can Terminate the WAN Access while you continue the LAN Access for your local Clients, until you have the Security implemented. Be sure that root access IS NOT ENABLED. Be sure that Password Access IS NOT ENABLED if you have WAN access ENABLED. Use Secure RSA or DSA Keys. You can move the Router ports for SSH or FTP access to a Port higher than 10000 in your Router, to access Ports 21 or 22 on your LAN. ie, FTP in on Router Port 49650 (which is forwarded to 21 on your LAN) Be sure to keep an eye on your Logs daily, to make sure you are the only one accessing your Server, until you are 100% sure. I'd suggest that you stop all Port Forwarding, or take your Server offline until you get tighter security implemented, as per the suggested Documents below. As a NAS4Free Supporter, I've created some documents that may help lead you through a similar situation I had on my NAS4Free Server. While these Documents are for NAS4Free, the methods discussed will be typical for your webserver. The documents are located at: http://forums.nas4free.org/viewtopic.php?f=55&t=225 http://forums.nas4free.org/viewtopic.php?f=55&t=233 HOWTO Area http://forums.nas4free.org/viewforum...203b067b5d2f32 Extensions/Addons http://forums.nas4free.org/viewforum...203b067b5d2f32 Nmap usage http://www.irongeek.com/i.php?page=videos/nmap1 There are other documents as well, discussing using FTP transfers and using SSH with DSA Keys. It might be worth your while to read those documents too. Good Luck. Larry |
I've got my doubts; while the general structure does look similar to an XSS, look at all those 501s, 400s and 408s. That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error.
Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc). If that's not it, then go ahead and block while further investigation is ongoing, but while it is strange I'm not yet convinced of malicious. @lkraemer Quote:
|
Quote:
Quote:
|
Quote:
|
salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary. I just can't imagine his server contacting these IP's when it's running, but I guess it's possible. The 408 errors are for HTTP Request Timeout. ie........ The Web server (running the Web site) thinks that there has been too long an interval of time between 1) the establishment of an IP connection (socket) between the client (e.g. your Web browser) and the server and 2) the receipt of any data on that socket, so the server has dropped the connection. The request from the client must be repeated - in a timely manner. It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more detail as to where the connections originate from, depending on the message log. Thanks. Larry |
Quote:
|
Larry, thanks for the suggestions. I think they are valuable. About the firewall, I have it set up, no problem with that, I usually am not using my web server, but recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync. So I allowed access to it and these messages showed up, and this has happened before. So I'll need to make more tests with it, as salasi said it might be transferring something, to be sure that those messages were not generated from that file transfer, although in this situation I do not understand why there are different IPs from the IP which was transferring the file. BTW, I so not have a router, my server/workstation just acts like one (in the iptables), but this is something else of course.
|
Quote:
|
What I can surely say is that those kind of messages did not appear all the time in history (when the server was opened), and they appeared suddenly, nothing triggered them. For example, right now it is opened and it's ok so far. But tomorrow, or some day after, it will show up again. Strange... I still think these are just break in attempts.
|
Quote:
Quote:
|
Seeing logs that contain hex and some printable ascii characters, makes me think binary data, and possibly shellcode.
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207 Code:
$ rasm2 -d 'eb e1 2c df 89 d4 45 b4 ea' |
ok, here it is a larger image logfile; just in case someone wants to make an ideea
Quote:
|
Quote:
|
Quote:
Quote:
The "404 nnn" pairs are just apache error codes (the first one is anyway) |
All times are GMT -5. The time now is 07:55 PM. |