What do these httpd log file entries mean?

mitusf · 12-12-2012, 01:32 PM

I have noticed some strange activity on my web server's log file, every time I started it.

Code:

94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x16" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\xb3" 501 231
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226

I think these are all break-in attempts, but I do not really know what all these represent. What do you think? Am I safe for this kind of requests?

Thank you.

lkraemer · 12-13-2012, 04:42 AM

mitusf,
Just from the locations of the IP Addresses, I'd say that is exactly what the problem is. It appears as if you need to setup
some IP Firewall Rules (IPFW) Rules or install Fail2Ban to block those type of hacking attempts.

What ports are open on your Router to the WAN?
Have you scanned with nmap to verify the Open Ports on your Router, Server, Clients? That is where I'd suggest starting.
ie. nmap -sS 192.168.0.4
You can Terminate the WAN Access while you continue the LAN Access for your local Clients, until you have the Security implemented.
Be sure that root access IS NOT ENABLED.
Be sure that Password Access IS NOT ENABLED if you have WAN access ENABLED. Use Secure RSA or DSA Keys.
You can move the Router ports for SSH or FTP access to a Port higher than 10000 in your Router, to access Ports 21 or 22 on your LAN.
ie, FTP in on Router Port 49650 (which is forwarded to 21 on your LAN)
Be sure to keep an eye on your Logs daily, to make sure you are the only one accessing your Server, until you are 100% sure.

I'd suggest that you stop all Port Forwarding, or take your Server offline until you get tighter security implemented, as per
the suggested Documents below.

As a NAS4Free Supporter, I've created some documents that may help lead you through a similar situation I had on my NAS4Free Server.
While these Documents are for NAS4Free, the methods discussed will be typical for your webserver. The documents are located at:
http://forums.nas4free.org/viewtopic.php?f=55&t=225
http://forums.nas4free.org/viewtopic.php?f=55&t=233

HOWTO Area
http://forums.nas4free.org/viewforum...203b067b5d2f32

Extensions/Addons
http://forums.nas4free.org/viewforum...203b067b5d2f32

Nmap usage
http://www.irongeek.com/i.php?page=videos/nmap1

There are other documents as well, discussing using FTP transfers and using SSH with DSA Keys. It might be worth your while to read
those documents too.

Good Luck.

Larry

salasi · 12-13-2012, 05:07 AM

I've got my doubts; while the general structure does look similar to an XSS, look at all those 501s, 400s and 408s. That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error.

Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).

If that's not it, then go ahead and block while further investigation is ongoing, but while it is strange I'm not yet convinced of malicious.

@lkraemer

Quote:

Just from the locations of the IP Addresses...

The few that I looked at didn't have particularly suspicious origin locations, but looked to be close-by Middle-European states, so what were you seeing that raised suspicions?

unSpawn · 12-13-2012, 05:19 AM

Quote:

Originally Posted by mitusf

I think these are all break-in attempts, but I do not really know what all these represent.

Maybe somebody else can but I haven't been able to decipher it.

Quote:

Originally Posted by mitusf

What do you think? Am I safe for this kind of requests?

While this is a very selective view of things, only a few access_log lines paint a different picture than posting all access_log and error_log entries for these hosts, you can see all these requests have return codes of 400 "Bad request", 408 "Request timeout" or 501 "Not implemented". "Safe" depends on what the web server, and whatever you run in your web stack, return. In this case the web server doesn't appear to yield anything making these requests not successful.

unSpawn · 12-13-2012, 05:28 AM

Quote:

Originally Posted by salasi

That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error. Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).

Now that's an interesting thought.

lkraemer · 12-13-2012, 05:59 AM

salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary. I just can't imagine his server contacting
these IP's when it's running, but I guess it's possible.

The 408 errors are for HTTP Request Timeout. ie........
The Web server (running the Web site) thinks that there has been too long an interval of time between 1) the establishment of an IP connection (socket) between the client (e.g. your Web browser) and the server and 2) the receipt of any data on that socket, so the server has dropped the connection. The request from the client must be repeated - in a timely manner.

It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.

Thanks.

Larry

salasi · 12-13-2012, 06:17 AM

Quote:

Originally Posted by lkraemer

salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary.

Yes, but he (and his server???) are in Bucharest, so they seem to be relatively local. I mean its not exactly the list of countries most noted for hacking attempts, even though you shouldn't draw hard and fast conclusions from the country alone.

mitusf · 12-13-2012, 06:23 AM

Larry, thanks for the suggestions. I think they are valuable. About the firewall, I have it set up, no problem with that, I usually am not using my web server, but recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync. So I allowed access to it and these messages showed up, and this has happened before. So I'll need to make more tests with it, as salasi said it might be transferring something, to be sure that those messages were not generated from that file transfer, although in this situation I do not understand why there are different IPs from the IP which was transferring the file. BTW, I so not have a router, my server/workstation just acts like one (in the iptables), but this is something else of course.

mitusf · 12-13-2012, 06:31 AM

Quote:

It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.

The server is always running but it is firewall-ed for outside access. So I do not get any messages at all.

mitusf · 12-13-2012, 06:50 AM

What I can surely say is that those kind of messages did not appear all the time in history (when the server was opened), and they appeared suddenly, nothing triggered them. For example, right now it is opened and it's ok so far. But tomorrow, or some day after, it will show up again. Strange... I still think these are just break in attempts.

unSpawn · 12-13-2012, 07:56 AM

Quote:

Originally Posted by mitusf

recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync.

The easiest way would have been to limit the firewall to only allow traffic between your web server and this persons address.

Quote:

Originally Posted by mitusf

I do not understand why (..) I still think

Instead start by having sufficient data logged: firewall, Snort for signature-based scrubbing, Wireshark for packet analysis. That may help you analyze things better.

OlRoy · 12-13-2012, 08:19 AM

Seeing logs that contain hex and some printable ascii characters, makes me think binary data, and possibly shellcode.

213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207

Code:

$ rasm2 -d 'eb e1 2c df 89 d4 45 b4 ea'
jmp 0x8047fe3
sub al, 0xdf
mov esp, edx
inc ebp
mov ah, 0xea

I'm definitely not familiar enough with Linux shellcode to say whether that is part of valid shellcode, but the above are all very common instructions. As unSpawn was saying, it's hard to say much without more context...

mitusf · 12-13-2012, 08:49 AM

ok, here it is a larger image logfile; just in case someone wants to make an ideea

Quote:

188.25.29.61 - - [07/Jan/2012:16:22:27 +0200] "OPTIONS / HTTP/1.1" 200 -
200.27.129.124 - - [07/Jan/2012:16:30:11 +0200] "HEAD / HTTP/1.0" 200 -
187.115.68.232 - - [08/Jan/2012:22:29:48 +0200] "HEAD / HTTP/1.0" 200 -
122.228.236.136 - - [09/Jan/2012:15:22:02 +0200] "CONNECT smtp.mail.yahoo.com.cn:25 HTTP/1.0" 405 235
187.58.58.136 - - [10/Jan/2012:19:14:37 +0200] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [15/Jan/2012:17:12:39 +0200] "GET /dojo/firebug/firebug.js HTTP/1.1" 404 221
62.244.184.159 - - [19/Jan/2012:10:58:16 +0200] "'\xear!;\xeby0&8&\xb8\xca\x0es6\x05\x8d\xec" 501 239
212.79.110.26 - - [19/Jan/2012:23:55:08 +0200] "GET / HTTP/1.0" 200 44
66.249.72.84 - - [28/Jan/2012:13:22:30 +0200] "GET /index.php?option=com_k2&view=item&id=10950:tape-teflon-go-to-tapet HTTP/1.1" 404 207
66.249.72.84 - - [28/Jan/2012:13:26:22 +0200] "GET /index.php?option=com_k2&view=item&id=10953:disc-stickit-6-psa-p80a-a0-12 HTTP/1.1" 404 207
66.249.72.84 - - [28/Jan/2012:13:30:14 +0200] "GET /index.php?option=com_k2&view=item&id=10954:disc-stickit-6-220a-sc-250ro&tmpl=component&print=1 HTTP/1.1" 404 207
190.68.69.234 - - [29/Jan/2012:21:08:51 +0200] "HEAD / HTTP/1.0" 200 -
218.6.16.52 - - [31/Jan/2012:11:42:47 +0200] "HEAD / HTTP/1.0" 200 -
84.175.204.134 - - [31/Jan/2012:21:06:50 +0200] "w\xf1oP\xc4" 501 217
118.139.162.208 - - [04/Feb/2012:11:11:13 +0200] "GET /w00tw00t.at.ISC.SANS.DFind

HTTP/1.1" 400 226
188.25.55.187 - - [05/Feb/2012:18:26:11 +0200] "OPTIONS / HTTP/1.1" 200 -
188.25.165.62 - - [07/Feb/2012:14:05:52 +0200] "1\xa3\xbd\x15\x07\xa3\x16\x81\x91\x8aY\xa5\xe1h\xf7\xe2\x96p\xff\x0c\xd5(\xbb\xe4\xa9\x03\x1a]P\x146|\xf7\xf0~\xed\xef\xa5\x12K\xe2\xbf\xd9\xbf" 400 226
219.143.8.143 - - [09/Feb/2012:18:27:51 +0200] "HEAD / HTTP/1.0" 200 -
77.45.247.48 - - [11/Feb/2012:17:12:32 +0200] "\xf5\xaa-c\xcc\xc4d\xbfa#\x96\xe8=\x93" 501 226
94.236.134.205 - - [14/Feb/2012:20:57:15 +0200] "\xa7" 501 213
83.252.42.4 - - [15/Feb/2012:14:56:25 +0200] "\xef\x8a\xca\xff" 501 216
92.114.128.51 - - [18/Feb/2012:22:13:36 +0200] "\xa9tjp\xf1m" 501 218
204.93.180.13 - - [20/Feb/2012:04:20:10 +0200] "GET / HTTP/1.0" 200 44
94.228.217.228 - - [23/Feb/2012:19:04:26 +0200] "GET / HTTP/1.1" 200 44
38.104.240.146 - - [29/Feb/2012:21:12:35 +0200] "HEAD / HTTP/1.0" 200 -
212.25.45.125 - - [07/Mar/2012:10:20:23 +0200] "\xd6\x9b\xf3.\xab\xb5.\xd66" 501 221
188.254.138.182 - - [07/Mar/2012:10:20:57 +0200] "\xf2\bt1jTZ\xd3(\xb1\xbfj63\xc7\xf9\x96\x1e\xb2s'CpC\xc6!\x0e\xb0v\x11\x1c" 501 243
80.138.137.59 - - [07/Mar/2012:11:45:23 +0200] "!s\xa7\xf9\xaf\x83m--\x9b\x86\xf4\x85\x05\xc7VY8o\xd1\x06\x05\xeb\x81\x91\x06\\\x87\x06\xee\xda|\xfb\x1d\x0c\x90\x92\xca\ xe1%," 400 226
94.137.223.249 - - [07/Mar/2012:11:54:46 +0200] "\x16\xd3M\xcbo\xa3`" 501 219
109.102.18.66 - - [08/Mar/2012:13:02:06 +0200] "\x93\x99,\x1a9\xd5\x17E\xaa" 501 221
58.19.177.4 - - [09/Mar/2012:12:53:13 +0200] "GET /muieblackcat HTTP/1.1" 404 210
58.19.177.4 - - [09/Mar/2012:12:53:14 +0200] "GET //index.php HTTP/1.1" 404 207
58.19.177.4 - - [09/Mar/2012:12:53:15 +0200] "GET //admin/index.php HTTP/1.1" 404 213
58.19.177.4 - - [09/Mar/2012:12:53:16 +0200] "GET //admin/pma/index.php HTTP/1.1" 404 217
58.19.177.4 - - [09/Mar/2012:12:53:17 +0200] "GET //admin/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:18 +0200] "GET //db/index.php HTTP/1.1" 404 210
58.19.177.4 - - [09/Mar/2012:12:53:19 +0200] "GET //dbadmin/index.php HTTP/1.1" 404 215
58.19.177.4 - - [09/Mar/2012:12:53:20 +0200] "GET //myadmin/index.php HTTP/1.1" 404 215
58.19.177.4 - - [09/Mar/2012:12:53:21 +0200] "GET //mysql/index.php HTTP/1.1" 404 213
58.19.177.4 - - [09/Mar/2012:12:53:25 +0200] "GET //typo3/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:29 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:30 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:31 +0200] "GET //phpmyadmin1/index.php HTTP/1.1" 404 219
58.19.177.4 - - [09/Mar/2012:12:53:32 +0200] "GET //phpmyadmin2/index.php HTTP/1.1" 404 219
58.19.177.4 - - [09/Mar/2012:12:53:36 +0200] "GET //web/phpMyAdmin/index.php HTTP/1.1" 404 222
58.19.177.4 - - [09/Mar/2012:12:53:38 +0200] "GET //xampp/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:39 +0200] "GET //web/index.php HTTP/1.1" 404 211
58.19.177.4 - - [09/Mar/2012:12:53:40 +0200] "GET //php-my-admin/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:41 +0200] "GET //websql/index.php HTTP/1.1" 404 214
58.19.177.4 - - [09/Mar/2012:12:53:42 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:46 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:50 +0200] "GET //phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:51 +0200] "GET //phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:52 +0200] "GET //phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:56 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:57 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:58 +0200] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:59 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:00 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:09 +0200] "GET //phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:10 +0200] "GET //phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:11 +0200] "GET //phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 228
86.121.80.40 - - [11/Mar/2012:22:37:38 +0200] "GET / HTTP/1.1" 200 44
195.94.188.246 - - [12/Mar/2012:19:58:44 +0200] "HEAD / HTTP/1.0" 200 -
81.218.165.207 - - [13/Mar/2012:17:13:47 +0200] "HEAD / HTTP/1.0" 200 -
64.53.223.83 - - [15/Mar/2012:12:47:20 +0200] "`Q\x86\xc2\xa2" 501 217
200.186.124.22 - - [16/Mar/2012:14:52:41 +0200] "HEAD / HTTP/1.0" 200 -
213.122.191.155 - - [17/Mar/2012:12:16:39 +0200] "HEAD / HTTP/1.0" 200 -
85.195.91.187 - - [17/Mar/2012:18:23:38 +0200] "GET /w00tw00t.at.ISC.SANS.DFind

HTTP/1.1" 400 226
219.92.46.66 - - [29/Mar/2012:12:40:44 +0300] "HEAD / HTTP/1.0" 200 -
77.42.224.32 - - [07/Apr/2012:20:35:33 +0300] "\x17K1\xfe\x8c!\xd6]\xb0w\xb8\xcan;\xd9\xf5\x8b\xb7c\x1e\x01\\\xe1\xccQ\b" 501 238
124.193.160.245 - - [08/Apr/2012:14:32:33 +0300] "HEAD / HTTP/1.0" 200 -
42.228.0.77 - - [08/Apr/2012:20:37:38 +0300] "HEAD /manager/html HTTP/1.0" 404 -
200.9.244.90 - - [08/Apr/2012:23:02:37 +0300] "HEAD / HTTP/1.0" 200 -
92.240.68.153 - - [24/Apr/2012:08:22:12 +0300] "GET http://www.celebridiot.com/wp-conten...08/12/zune.jpg HTTP/1.1" 404 233
74.63.226.226 - - [29/Apr/2012:00:48:17 +0300] "GET /w00tw00t.at.ISC.SANS.DFind

HTTP/1.1" 400 226
157.164.189.39 - - [29/Apr/2012:18:59:40 +0300] "HEAD / HTTP/1.0" 200 -
23.21.128.180 - - [30/Apr/2012:18:33:00 +0300] "HEAD /manager/status HTTP/1.1" 404 -
122.116.25.237 - - [02/May/2012:17:46:16 +0300] "\xb7\x8f\x19_\xc4\xf1\x1c\xe8\xa0\\\xbb\v\xe3c\x9dv\x0e3p\\\x85\x1c?\xf1\xcc\xe9\xb1UN.dn\xf4" 400 226
94.64.20.36 - - [02/May/2012:17:53:32 +0300] "\xb2\xf9\x9e\xf1|\xac\x83\xd0\xcf\xbdR\x1e\xa8\xaf\x8d\xc1\x0f]\x95?" 501 232
84.217.243.153 - - [02/May/2012:17:56:03 +0300] "\x86!\x07yA\xa5\xe1\"\x01\xc0\xf3+\xec\x9e%\xf0U\xb7\xc3" 501 236
109.242.39.190 - - [02/May/2012:18:04:31 +0300] "\xfa\xcc%xT\xd3" 501 218
200.161.249.231 - - [02/May/2012:18:06:15 +0300] "W\xe4\x9c\x81T^\x16\xecxn\xe8w\xb6\x88\x01\xe3J\xf1\xd2\xfc\xc0\x0e\xe0\xc8\xcbH\xa2\x034F\xf0" 501 243
58.168.196.170 - - [02/May/2012:18:07:57 +0300] "\xae\x9b\x87-\xc6" 501 217
113.12.94.158 - - [06/May/2012:19:57:50 +0300] "HEAD / HTTP/1.0" 200 -
220.237.29.96 - - [07/May/2012:23:30:53 +0300] "\xa3\xca" 501 214
128.59.14.73 - - [09/May/2012:17:28:17 +0300] "GET / HTTP/1.1" 200 44
81.88.77.136 - - [10/May/2012:16:54:24 +0300] "HEAD / HTTP/1.0" 200 -
23.20.104.39 - - [10/May/2012:17:17:30 +0300] "HEAD / HTTP/1.0" 200 -
89.136.34.1 - - [14/May/2012:00:47:30 +0300] "nk\xe7\xad\"|\x8b\xa9\xb0\xe6\xb1\xefZ\"\xba\xea\x02vN}\x90\xec\xc7\x9b\xa78\xcf\xabV\xe8\x01\x7f\x 85\xaa\xf6\\;\xf2" 501 260
186.227.105.190 - - [19/May/2012:13:50:03 +0300] "HEAD / HTTP/1.0" 200 -
186.56.33.138 - - [19/May/2012:14:11:20 +0300] "HEAD / HTTP/1.0" 200 -
118.172.139.216 - - [19/May/2012:20:13:59 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [19/May/2012:22:05:28 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [16/Jun/2012:17:50:59 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [16/Jun/2012:17:50:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [16/Jun/2012:17:51:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.105.255 - - [17/Jun/2012:18:10:14 +0300] "OPTIONS / HTTP/1.1" 200 -
201.56.128.2 - - [18/Jun/2012:19:47:45 +0300] "HEAD / HTTP/1.0" 200 -
218.65.61.28 - - [19/Jun/2012:19:15:13 +0300] "GET /w00tw00t.at.ISC.SANS.DFind

HTTP/1.1" 400 226
210.212.239.86 - - [20/Jun/2012:12:13:51 +0300] "HEAD / HTTP/1.0" 200 -
109.97.161.65 - - [20/Jun/2012:12:34:15 +0300] "v?\xe1?,\xd55|\t\x96\xca[\x84\xbd\xdb2G\xc79vT\xac\xb8\xcf\xeb\xc9\x0f\xf4\xc1|\x96\x98\x1e\xedp\x9c\xc4\xb7\xc2y\xd0)\xb5rZ< \x9e$\xc2\xcd\xbb" 400 226
46.166.144.203 - - [20/Jun/2012:16:41:34 +0300] "HEAD / HTTP/1.1" 200 -
46.17.97.178 - - [21/Jun/2012:19:00:04 +0300] "GET / HTTP/1.1" 200 44
203.186.69.230 - - [21/Jun/2012:20:30:05 +0300] "GET /phpmyadmin/translators.html HTTP/1.1" 404 225
95.120.227.60 - - [21/Jun/2012:23:08:31 +0300] "\xdf\x18g\xc9%\x8f\xca4\x05\xd8.\x8c\xe1\xd4\xcb\xea\x8e\xd1\xd7B\xbeM\x1f" 501 235
127.0.0.1 - - [22/Jun/2012:00:41:17 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [22/Jun/2012:00:41:24 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:15:58:22 +0300] "GET / HTTP/1.1" 200 44
188.25.111.115 - - [22/Jun/2012:15:58:22 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [22/Jun/2012:16:00:56 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:16:01:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
194.145.159.253 - - [22/Jun/2012:16:03:36 +0300] "GET / HTTP/1.1" 200 44
194.145.159.253 - - [22/Jun/2012:16:03:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:16:16:43 +0300] "GET //phpmyadmin/translators.html HTTP/1.1" 404 225
188.25.111.115 - - [22/Jun/2012:16:16:43 +0300] "GET /favicon.ico HTTP/1.1" 404 209
187.75.153.207 - - [01/Jul/2012:16:21:40 +0300] "GET http://www.sina.com.cn/ HTTP/1.1" 200 44
188.24.231.145 - - [04/Jul/2012:16:49:50 +0300] "\r\x13m\xf3\xd4y|\xb5\xbbZ\xf2!\xef5\x06rJ\x1a/\xaeP" 400 226
222.106.7.66 - - [07/Jul/2012:18:07:08 +0300] "HEAD / HTTP/1.0" 200 -
12.144.49.14 - - [12/Jul/2012:14:25:37 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [15/Jul/2012:14:19:17 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:23 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:20:49:30 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:30 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:00:34 +0300] "GET /index.php HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:00:34 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:01:16 +0300] "GET /index.php HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:01:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:01:20 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:01:20 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:02:32 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:02:32 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:02:35 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:02:35 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:05:21 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:05:24 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:11:29 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:11:29 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:12:03 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:12:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:12:08 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:20:36 +0300] "GET /index.php.2 HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:20:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:24:50 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [19/Jul/2012:23:25:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:23:25:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:25:15 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:27:15 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:25:05 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php HTTP/1.1" 200 75942
127.0.0.1 - - [20/Jul/2012:17:25:10 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET / HTTP/1.1" 200 76150
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:11 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:17:27:11 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:23 +0300] "GET /index.php.2 HTTP/1.1" 304 -
127.0.0.1 - - [20/Jul/2012:17:27:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:31 +0300] "GET /index.php HTTP/1.1" 404 207
127.0.0.1 - - [20/Jul/2012:17:27:31 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:54 +0300] "GET /index.php HTTP/1.1" 404 207
127.0.0.1 - - [20/Jul/2012:17:27:54 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET / HTTP/1.1" 200 76771
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:29:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:17:29:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:02 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php HTTP/1.1" 200 75943
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php HTTP/1.1" 200 75943
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET / HTTP/1.1" 200 75915
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:28:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:28:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:29:26 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:29:26 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET / HTTP/1.1" 200 76151
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET / HTTP/1.1" 200 76151
127.0.0.1 - - [20/Jul/2012:18:32:00 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:32:17 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:32:17 +0300] "GET /favicon.ico HTTP/1.1" 404 209
93.63.221.11 - - [21/Jul/2012:20:00:04 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [22/Jul/2012:11:49:40 +0300] "GET /phpinfo.php HTTP/1.1" 404 209
127.0.0.1 - - [22/Jul/2012:11:49:40 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [25/Jul/2012:17:29:37 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [25/Jul/2012:17:30:16 +0300] "GET / HTTP/1.0" 200 44
188.25.51.52 - - [25/Jul/2012:23:58:17 +0300] "GET / HTTP/1.1" 200 44
188.25.51.52 - - [25/Jul/2012:23:58:17 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.51.52 - - [26/Jul/2012:00:01:38 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.51.52 - - [26/Jul/2012:00:02:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
86.125.49.108 - - [29/Jul/2012:16:45:46 +0300] "B\xf4\xd5\xb9\x92^\xa1\xb6iyb\xfb$\xaa_\xcbUcks\"J" 501 239
207.150.188.84 - - [01/Aug/2012:01:41:29 +0300] "HEAD / HTTP/1.0" 200 -
192.168.0.2 - - [07/Aug/2012:23:57:11 +0300] "GET / HTTP/1.1" 200 44
192.168.0.2 - - [07/Aug/2012:23:57:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
192.168.0.2 - - [07/Aug/2012:23:57:32 +0300] "GET / HTTP/1.1" 200 44
192.168.0.2 - - [07/Aug/2012:23:57:34 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:02:27 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:02:27 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:25 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:04:25 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:30 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:30 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:36 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:38 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:38 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:08:33 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [08/Aug/2012:00:08:53 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:08:53 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:36:33 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [25/Aug/2012:17:08:54 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [03/Sep/2012:19:09:57 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [03/Sep/2012:19:10:10 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [17/Sep/2012:16:10:58 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [17/Sep/2012:16:10:58 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [30/Sep/2012:13:03:45 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [30/Sep/2012:13:03:46 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:19:03 +0200] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [03/Dec/2012:21:19:04 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:19:04 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:23:26 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
85.122.132.5 - - [03/Dec/2012:21:26:27 +0200] "-" 408 -
91.233.135.60 - - [03/Dec/2012:21:27:38 +0200] "-" 408 -
188.25.48.199 - - [03/Dec/2012:21:27:40 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x1 6" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\ xb3" 501 231
188.25.102.227 - - [03/Dec/2012:21:29:11 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226
127.0.0.1 - - [13/Dec/2012:14:29:09 +0200] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [13/Dec/2012:14:29:09 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [13/Dec/2012:14:29:10 +0200] "GET /favicon.ico HTTP/1.1" 404 209

mitusf · 12-13-2012, 08:59 AM

Quote:

The easiest way would have been to limit the firewall to only allow traffic between your web server and this persons address.

Yes, I know, with the -s option (source) to iptables. Thanks

Habitual · 12-13-2012, 09:33 AM

Quote:

Originally Posted by mitusf

Code:

94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x16" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\xb3" 501 231
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226

The above looks like shell-code in hexadecimal.

Quote:

58.19.177.4 - - [09/Mar/2012:12:53:46 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:50 +0200] "GET //phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:51 +0200] "GET //phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:52 +0200] "GET //phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:56 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:57 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:58 +0200] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:59 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:00 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:09 +0200] "GET //phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:10 +0200] "GET //phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:11 +0200] "GET //phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 228

and the below looks like it's checking for phpMyAdmin exploit targets.
The "404 nnn" pairs are just apache error codes (the first one is anyway)