LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-12-2012, 01:32 PM   #1
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Rep: Reputation: 2
What do these httpd log file entries mean?


I have noticed some strange activity on my web server's log file, every time I started it.

Code:
94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x16" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\xb3" 501 231
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226
I think these are all break-in attempts, but I do not really know what all these represent. What do you think? Am I safe for this kind of requests?

Thank you.
 
Old 12-13-2012, 04:42 AM   #2
lkraemer
Member
 
Registered: Aug 2008
Posts: 111

Rep: Reputation: 10
mitusf,
Just from the locations of the IP Addresses, I'd say that is exactly what the problem is. It appears as if you need to setup
some IP Firewall Rules (IPFW) Rules or install Fail2Ban to block those type of hacking attempts.

What ports are open on your Router to the WAN?
Have you scanned with nmap to verify the Open Ports on your Router, Server, Clients? That is where I'd suggest starting.
ie. nmap -sS 192.168.0.4
You can Terminate the WAN Access while you continue the LAN Access for your local Clients, until you have the Security implemented.
Be sure that root access IS NOT ENABLED.
Be sure that Password Access IS NOT ENABLED if you have WAN access ENABLED. Use Secure RSA or DSA Keys.
You can move the Router ports for SSH or FTP access to a Port higher than 10000 in your Router, to access Ports 21 or 22 on your LAN.
ie, FTP in on Router Port 49650 (which is forwarded to 21 on your LAN)
Be sure to keep an eye on your Logs daily, to make sure you are the only one accessing your Server, until you are 100% sure.

I'd suggest that you stop all Port Forwarding, or take your Server offline until you get tighter security implemented, as per
the suggested Documents below.

As a NAS4Free Supporter, I've created some documents that may help lead you through a similar situation I had on my NAS4Free Server.
While these Documents are for NAS4Free, the methods discussed will be typical for your webserver. The documents are located at:
http://forums.nas4free.org/viewtopic.php?f=55&t=225
http://forums.nas4free.org/viewtopic.php?f=55&t=233

HOWTO Area
http://forums.nas4free.org/viewforum...203b067b5d2f32

Extensions/Addons
http://forums.nas4free.org/viewforum...203b067b5d2f32

Nmap usage
http://www.irongeek.com/i.php?page=videos/nmap1

There are other documents as well, discussing using FTP transfers and using SSH with DSA Keys. It might be worth your while to read
those documents too.

Good Luck.

Larry

Last edited by lkraemer; 12-13-2012 at 05:37 AM.
 
1 members found this post helpful.
Old 12-13-2012, 05:07 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,896

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
I've got my doubts; while the general structure does look similar to an XSS, look at all those 501s, 400s and 408s. That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error.

Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).

If that's not it, then go ahead and block while further investigation is ongoing, but while it is strange I'm not yet convinced of malicious.

@lkraemer
Quote:
Just from the locations of the IP Addresses...
The few that I looked at didn't have particularly suspicious origin locations, but looked to be close-by Middle-European states, so what were you seeing that raised suspicions?
 
1 members found this post helpful.
Old 12-13-2012, 05:19 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by mitusf View Post
I think these are all break-in attempts, but I do not really know what all these represent.
Maybe somebody else can but I haven't been able to decipher it.


Quote:
Originally Posted by mitusf View Post
What do you think? Am I safe for this kind of requests?
While this is a very selective view of things, only a few access_log lines paint a different picture than posting all access_log and error_log entries for these hosts, you can see all these requests have return codes of 400 "Bad request", 408 "Request timeout" or 501 "Not implemented". "Safe" depends on what the web server, and whatever you run in your web stack, return. In this case the web server doesn't appear to yield anything making these requests not successful.
 
1 members found this post helpful.
Old 12-13-2012, 05:28 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by salasi View Post
That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error. Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).
Now that's an interesting thought.
 
Old 12-13-2012, 05:59 AM   #6
lkraemer
Member
 
Registered: Aug 2008
Posts: 111

Rep: Reputation: 10
salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary. I just can't imagine his server contacting
these IP's when it's running, but I guess it's possible.

The 408 errors are for HTTP Request Timeout. ie........
The Web server (running the Web site) thinks that there has been too long an interval of time between 1) the establishment of an IP connection (socket) between the client (e.g. your Web browser) and the server and 2) the receipt of any data on that socket, so the server has dropped the connection. The request from the client must be repeated - in a timely manner.

It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.

Thanks.

Larry
 
1 members found this post helpful.
Old 12-13-2012, 06:17 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,896

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by lkraemer View Post
salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary.
Yes, but he (and his server???) are in Bucharest, so they seem to be relatively local. I mean its not exactly the list of countries most noted for hacking attempts, even though you shouldn't draw hard and fast conclusions from the country alone.
 
1 members found this post helpful.
Old 12-13-2012, 06:23 AM   #8
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Larry, thanks for the suggestions. I think they are valuable. About the firewall, I have it set up, no problem with that, I usually am not using my web server, but recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync. So I allowed access to it and these messages showed up, and this has happened before. So I'll need to make more tests with it, as salasi said it might be transferring something, to be sure that those messages were not generated from that file transfer, although in this situation I do not understand why there are different IPs from the IP which was transferring the file. BTW, I so not have a router, my server/workstation just acts like one (in the iptables), but this is something else of course.
 
Old 12-13-2012, 06:31 AM   #9
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Quote:
It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.
The server is always running but it is firewall-ed for outside access. So I do not get any messages at all.
 
Old 12-13-2012, 06:50 AM   #10
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
What I can surely say is that those kind of messages did not appear all the time in history (when the server was opened), and they appeared suddenly, nothing triggered them. For example, right now it is opened and it's ok so far. But tomorrow, or some day after, it will show up again. Strange... I still think these are just break in attempts.
 
Old 12-13-2012, 07:56 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by mitusf View Post
recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync.
The easiest way would have been to limit the firewall to only allow traffic between your web server and this persons address.


Quote:
Originally Posted by mitusf View Post
I do not understand why (..) I still think
Instead start by having sufficient data logged: firewall, Snort for signature-based scrubbing, Wireshark for packet analysis. That may help you analyze things better.
 
1 members found this post helpful.
Old 12-13-2012, 08:19 AM   #12
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Seeing logs that contain hex and some printable ascii characters, makes me think binary data, and possibly shellcode.

213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207


Code:
$ rasm2 -d 'eb e1 2c df 89 d4 45 b4 ea'
jmp 0x8047fe3
sub al, 0xdf
mov esp, edx
inc ebp
mov ah, 0xea
I'm definitely not familiar enough with Linux shellcode to say whether that is part of valid shellcode, but the above are all very common instructions. As unSpawn was saying, it's hard to say much without more context...

Last edited by OlRoy; 12-13-2012 at 08:23 AM.
 
1 members found this post helpful.
Old 12-13-2012, 08:49 AM   #13
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
ok, here it is a larger image logfile; just in case someone wants to make an ideea

Quote:
188.25.29.61 - - [07/Jan/2012:16:22:27 +0200] "OPTIONS / HTTP/1.1" 200 -
200.27.129.124 - - [07/Jan/2012:16:30:11 +0200] "HEAD / HTTP/1.0" 200 -
187.115.68.232 - - [08/Jan/2012:22:29:48 +0200] "HEAD / HTTP/1.0" 200 -
122.228.236.136 - - [09/Jan/2012:15:22:02 +0200] "CONNECT smtp.mail.yahoo.com.cn:25 HTTP/1.0" 405 235
187.58.58.136 - - [10/Jan/2012:19:14:37 +0200] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [15/Jan/2012:17:12:39 +0200] "GET /dojo/firebug/firebug.js HTTP/1.1" 404 221
62.244.184.159 - - [19/Jan/2012:10:58:16 +0200] "'\xear!;\xeby0&8&\xb8\xca\x0es6\x05\x8d\xec" 501 239
212.79.110.26 - - [19/Jan/2012:23:55:08 +0200] "GET / HTTP/1.0" 200 44
66.249.72.84 - - [28/Jan/2012:13:22:30 +0200] "GET /index.php?option=com_k2&view=item&id=10950:tape-teflon-go-to-tapet HTTP/1.1" 404 207
66.249.72.84 - - [28/Jan/2012:13:26:22 +0200] "GET /index.php?option=com_k2&view=item&id=10953:disc-stickit-6-psa-p80a-a0-12 HTTP/1.1" 404 207
66.249.72.84 - - [28/Jan/2012:13:30:14 +0200] "GET /index.php?option=com_k2&view=item&id=10954:disc-stickit-6-220a-sc-250ro&tmpl=component&print=1 HTTP/1.1" 404 207
190.68.69.234 - - [29/Jan/2012:21:08:51 +0200] "HEAD / HTTP/1.0" 200 -
218.6.16.52 - - [31/Jan/2012:11:42:47 +0200] "HEAD / HTTP/1.0" 200 -
84.175.204.134 - - [31/Jan/2012:21:06:50 +0200] "w\xf1oP\xc4" 501 217
118.139.162.208 - - [04/Feb/2012:11:11:13 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226
188.25.55.187 - - [05/Feb/2012:18:26:11 +0200] "OPTIONS / HTTP/1.1" 200 -
188.25.165.62 - - [07/Feb/2012:14:05:52 +0200] "1\xa3\xbd\x15\x07\xa3\x16\x81\x91\x8aY\xa5\xe1h\xf7\xe2\x96p\xff\x0c\xd5(\xbb\xe4\xa9\x03\x1a]P\x146|\xf7\xf0~\xed\xef\xa5\x12K\xe2\xbf\xd9\xbf" 400 226
219.143.8.143 - - [09/Feb/2012:18:27:51 +0200] "HEAD / HTTP/1.0" 200 -
77.45.247.48 - - [11/Feb/2012:17:12:32 +0200] "\xf5\xaa-c\xcc\xc4d\xbfa#\x96\xe8=\x93" 501 226
94.236.134.205 - - [14/Feb/2012:20:57:15 +0200] "\xa7" 501 213
83.252.42.4 - - [15/Feb/2012:14:56:25 +0200] "\xef\x8a\xca\xff" 501 216
92.114.128.51 - - [18/Feb/2012:22:13:36 +0200] "\xa9tjp\xf1m" 501 218
204.93.180.13 - - [20/Feb/2012:04:20:10 +0200] "GET / HTTP/1.0" 200 44
94.228.217.228 - - [23/Feb/2012:19:04:26 +0200] "GET / HTTP/1.1" 200 44
38.104.240.146 - - [29/Feb/2012:21:12:35 +0200] "HEAD / HTTP/1.0" 200 -
212.25.45.125 - - [07/Mar/2012:10:20:23 +0200] "\xd6\x9b\xf3.\xab\xb5.\xd66" 501 221
188.254.138.182 - - [07/Mar/2012:10:20:57 +0200] "\xf2\bt1jTZ\xd3(\xb1\xbfj63\xc7\xf9\x96\x1e\xb2s'CpC\xc6!\x0e\xb0v\x11\x1c" 501 243
80.138.137.59 - - [07/Mar/2012:11:45:23 +0200] "!s\xa7\xf9\xaf\x83m--\x9b\x86\xf4\x85\x05\xc7VY8o\xd1\x06\x05\xeb\x81\x91\x06\\\x87\x06\xee\xda|\xfb\x1d\x0c\x90\x92\xca\ xe1%," 400 226
94.137.223.249 - - [07/Mar/2012:11:54:46 +0200] "\x16\xd3M\xcbo\xa3`" 501 219
109.102.18.66 - - [08/Mar/2012:13:02:06 +0200] "\x93\x99,\x1a9\xd5\x17E\xaa" 501 221
58.19.177.4 - - [09/Mar/2012:12:53:13 +0200] "GET /muieblackcat HTTP/1.1" 404 210
58.19.177.4 - - [09/Mar/2012:12:53:14 +0200] "GET //index.php HTTP/1.1" 404 207
58.19.177.4 - - [09/Mar/2012:12:53:15 +0200] "GET //admin/index.php HTTP/1.1" 404 213
58.19.177.4 - - [09/Mar/2012:12:53:16 +0200] "GET //admin/pma/index.php HTTP/1.1" 404 217
58.19.177.4 - - [09/Mar/2012:12:53:17 +0200] "GET //admin/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:18 +0200] "GET //db/index.php HTTP/1.1" 404 210
58.19.177.4 - - [09/Mar/2012:12:53:19 +0200] "GET //dbadmin/index.php HTTP/1.1" 404 215
58.19.177.4 - - [09/Mar/2012:12:53:20 +0200] "GET //myadmin/index.php HTTP/1.1" 404 215
58.19.177.4 - - [09/Mar/2012:12:53:21 +0200] "GET //mysql/index.php HTTP/1.1" 404 213
58.19.177.4 - - [09/Mar/2012:12:53:25 +0200] "GET //typo3/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:29 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:30 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:31 +0200] "GET //phpmyadmin1/index.php HTTP/1.1" 404 219
58.19.177.4 - - [09/Mar/2012:12:53:32 +0200] "GET //phpmyadmin2/index.php HTTP/1.1" 404 219
58.19.177.4 - - [09/Mar/2012:12:53:36 +0200] "GET //web/phpMyAdmin/index.php HTTP/1.1" 404 222
58.19.177.4 - - [09/Mar/2012:12:53:38 +0200] "GET //xampp/phpmyadmin/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:39 +0200] "GET //web/index.php HTTP/1.1" 404 211
58.19.177.4 - - [09/Mar/2012:12:53:40 +0200] "GET //php-my-admin/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:41 +0200] "GET //websql/index.php HTTP/1.1" 404 214
58.19.177.4 - - [09/Mar/2012:12:53:42 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404 218
58.19.177.4 - - [09/Mar/2012:12:53:46 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:50 +0200] "GET //phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:51 +0200] "GET //phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:52 +0200] "GET //phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:56 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:57 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:58 +0200] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:59 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:00 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:09 +0200] "GET //phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:10 +0200] "GET //phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:11 +0200] "GET //phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 228
86.121.80.40 - - [11/Mar/2012:22:37:38 +0200] "GET / HTTP/1.1" 200 44
195.94.188.246 - - [12/Mar/2012:19:58:44 +0200] "HEAD / HTTP/1.0" 200 -
81.218.165.207 - - [13/Mar/2012:17:13:47 +0200] "HEAD / HTTP/1.0" 200 -
64.53.223.83 - - [15/Mar/2012:12:47:20 +0200] "`Q\x86\xc2\xa2" 501 217
200.186.124.22 - - [16/Mar/2012:14:52:41 +0200] "HEAD / HTTP/1.0" 200 -
213.122.191.155 - - [17/Mar/2012:12:16:39 +0200] "HEAD / HTTP/1.0" 200 -
85.195.91.187 - - [17/Mar/2012:18:23:38 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226
219.92.46.66 - - [29/Mar/2012:12:40:44 +0300] "HEAD / HTTP/1.0" 200 -
77.42.224.32 - - [07/Apr/2012:20:35:33 +0300] "\x17K1\xfe\x8c!\xd6]\xb0w\xb8\xcan;\xd9\xf5\x8b\xb7c\x1e\x01\\\xe1\xccQ\b" 501 238
124.193.160.245 - - [08/Apr/2012:14:32:33 +0300] "HEAD / HTTP/1.0" 200 -
42.228.0.77 - - [08/Apr/2012:20:37:38 +0300] "HEAD /manager/html HTTP/1.0" 404 -
200.9.244.90 - - [08/Apr/2012:23:02:37 +0300] "HEAD / HTTP/1.0" 200 -
92.240.68.153 - - [24/Apr/2012:08:22:12 +0300] "GET http://www.celebridiot.com/wp-conten...08/12/zune.jpg HTTP/1.1" 404 233
74.63.226.226 - - [29/Apr/2012:00:48:17 +0300] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226
157.164.189.39 - - [29/Apr/2012:18:59:40 +0300] "HEAD / HTTP/1.0" 200 -
23.21.128.180 - - [30/Apr/2012:18:33:00 +0300] "HEAD /manager/status HTTP/1.1" 404 -
122.116.25.237 - - [02/May/2012:17:46:16 +0300] "\xb7\x8f\x19_\xc4\xf1\x1c\xe8\xa0\\\xbb\v\xe3c\x9dv\x0e3p\\\x85\x1c?\xf1\xcc\xe9\xb1UN.dn\xf4" 400 226
94.64.20.36 - - [02/May/2012:17:53:32 +0300] "\xb2\xf9\x9e\xf1|\xac\x83\xd0\xcf\xbdR\x1e\xa8\xaf\x8d\xc1\x0f]\x95?" 501 232
84.217.243.153 - - [02/May/2012:17:56:03 +0300] "\x86!\x07yA\xa5\xe1\"\x01\xc0\xf3+\xec\x9e%\xf0U\xb7\xc3" 501 236
109.242.39.190 - - [02/May/2012:18:04:31 +0300] "\xfa\xcc%xT\xd3" 501 218
200.161.249.231 - - [02/May/2012:18:06:15 +0300] "W\xe4\x9c\x81T^\x16\xecxn\xe8w\xb6\x88\x01\xe3J\xf1\xd2\xfc\xc0\x0e\xe0\xc8\xcbH\xa2\x034F\xf0" 501 243
58.168.196.170 - - [02/May/2012:18:07:57 +0300] "\xae\x9b\x87-\xc6" 501 217
113.12.94.158 - - [06/May/2012:19:57:50 +0300] "HEAD / HTTP/1.0" 200 -
220.237.29.96 - - [07/May/2012:23:30:53 +0300] "\xa3\xca" 501 214
128.59.14.73 - - [09/May/2012:17:28:17 +0300] "GET / HTTP/1.1" 200 44
81.88.77.136 - - [10/May/2012:16:54:24 +0300] "HEAD / HTTP/1.0" 200 -
23.20.104.39 - - [10/May/2012:17:17:30 +0300] "HEAD / HTTP/1.0" 200 -
89.136.34.1 - - [14/May/2012:00:47:30 +0300] "nk\xe7\xad\"|\x8b\xa9\xb0\xe6\xb1\xefZ\"\xba\xea\x02vN}\x90\xec\xc7\x9b\xa78\xcf\xabV\xe8\x01\x7f\x 85\xaa\xf6\\;\xf2" 501 260
186.227.105.190 - - [19/May/2012:13:50:03 +0300] "HEAD / HTTP/1.0" 200 -
186.56.33.138 - - [19/May/2012:14:11:20 +0300] "HEAD / HTTP/1.0" 200 -
118.172.139.216 - - [19/May/2012:20:13:59 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [19/May/2012:22:05:28 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [16/Jun/2012:17:50:59 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [16/Jun/2012:17:50:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [16/Jun/2012:17:51:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.105.255 - - [17/Jun/2012:18:10:14 +0300] "OPTIONS / HTTP/1.1" 200 -
201.56.128.2 - - [18/Jun/2012:19:47:45 +0300] "HEAD / HTTP/1.0" 200 -
218.65.61.28 - - [19/Jun/2012:19:15:13 +0300] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226
210.212.239.86 - - [20/Jun/2012:12:13:51 +0300] "HEAD / HTTP/1.0" 200 -
109.97.161.65 - - [20/Jun/2012:12:34:15 +0300] "v?\xe1?,\xd55|\t\x96\xca[\x84\xbd\xdb2G\xc79vT\xac\xb8\xcf\xeb\xc9\x0f\xf4\xc1|\x96\x98\x1e\xedp\x9c\xc4\xb7\xc2y\xd0)\xb5rZ< \x9e$\xc2\xcd\xbb" 400 226
46.166.144.203 - - [20/Jun/2012:16:41:34 +0300] "HEAD / HTTP/1.1" 200 -
46.17.97.178 - - [21/Jun/2012:19:00:04 +0300] "GET / HTTP/1.1" 200 44
203.186.69.230 - - [21/Jun/2012:20:30:05 +0300] "GET /phpmyadmin/translators.html HTTP/1.1" 404 225
95.120.227.60 - - [21/Jun/2012:23:08:31 +0300] "\xdf\x18g\xc9%\x8f\xca4\x05\xd8.\x8c\xe1\xd4\xcb\xea\x8e\xd1\xd7B\xbeM\x1f" 501 235
127.0.0.1 - - [22/Jun/2012:00:41:17 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [22/Jun/2012:00:41:24 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:15:58:22 +0300] "GET / HTTP/1.1" 200 44
188.25.111.115 - - [22/Jun/2012:15:58:22 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [22/Jun/2012:16:00:56 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:16:01:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
194.145.159.253 - - [22/Jun/2012:16:03:36 +0300] "GET / HTTP/1.1" 200 44
194.145.159.253 - - [22/Jun/2012:16:03:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.111.115 - - [22/Jun/2012:16:16:43 +0300] "GET //phpmyadmin/translators.html HTTP/1.1" 404 225
188.25.111.115 - - [22/Jun/2012:16:16:43 +0300] "GET /favicon.ico HTTP/1.1" 404 209
187.75.153.207 - - [01/Jul/2012:16:21:40 +0300] "GET http://www.sina.com.cn/ HTTP/1.1" 200 44
188.24.231.145 - - [04/Jul/2012:16:49:50 +0300] "\r\x13m\xf3\xd4y|\xb5\xbbZ\xf2!\xef5\x06rJ\x1a/\xaeP" 400 226
222.106.7.66 - - [07/Jul/2012:18:07:08 +0300] "HEAD / HTTP/1.0" 200 -
12.144.49.14 - - [12/Jul/2012:14:25:37 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [15/Jul/2012:14:19:17 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:23 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:20:49:30 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:20:49:30 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:00:34 +0300] "GET /index.php HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:00:34 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:01:16 +0300] "GET /index.php HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:01:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:01:20 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:01:20 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:02:32 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:02:32 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:02:35 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:02:35 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:05:21 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:05:24 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:11:29 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:11:29 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:12:03 +0300] "GET /index.php HTTP/1.1" 304 -
127.0.0.1 - - [19/Jul/2012:21:12:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:12:08 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:21:20:36 +0300] "GET /index.php.2 HTTP/1.1" 200 24
127.0.0.1 - - [19/Jul/2012:21:20:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:24:50 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [19/Jul/2012:23:25:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [19/Jul/2012:23:25:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:25:15 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [19/Jul/2012:23:27:15 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:25:05 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:25:09 +0300] "GET /index.php HTTP/1.1" 200 75942
127.0.0.1 - - [20/Jul/2012:17:25:10 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:17:26:12 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET / HTTP/1.1" 200 76150
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:15 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:17:26:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:11 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:17:27:11 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:23 +0300] "GET /index.php.2 HTTP/1.1" 304 -
127.0.0.1 - - [20/Jul/2012:17:27:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:31 +0300] "GET /index.php HTTP/1.1" 404 207
127.0.0.1 - - [20/Jul/2012:17:27:31 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:54 +0300] "GET /index.php HTTP/1.1" 404 207
127.0.0.1 - - [20/Jul/2012:17:27:54 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:27:59 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET / HTTP/1.1" 200 76771
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:17:28:56 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:17:29:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:17:29:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:02 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php HTTP/1.1" 200 75943
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:26:08 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:26:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:23 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /index.php HTTP/1.1" 200 75943
127.0.0.1 - - [20/Jul/2012:18:27:31 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET / HTTP/1.1" 200 75915
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:27:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:28:03 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:28:03 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:29:26 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:29:26 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET / HTTP/1.1" 200 75916
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:30:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET / HTTP/1.1" 200 76151
127.0.0.1 - - [20/Jul/2012:18:30:57 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524
127.0.0.1 - - [20/Jul/2012:18:31:59 +0300] "GET / HTTP/1.1" 200 76151
127.0.0.1 - - [20/Jul/2012:18:32:00 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [20/Jul/2012:18:32:17 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [20/Jul/2012:18:32:17 +0300] "GET /favicon.ico HTTP/1.1" 404 209
93.63.221.11 - - [21/Jul/2012:20:00:04 +0300] "HEAD / HTTP/1.0" 200 -
127.0.0.1 - - [22/Jul/2012:11:49:40 +0300] "GET /phpinfo.php HTTP/1.1" 404 209
127.0.0.1 - - [22/Jul/2012:11:49:40 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [25/Jul/2012:17:29:37 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [25/Jul/2012:17:30:16 +0300] "GET / HTTP/1.0" 200 44
188.25.51.52 - - [25/Jul/2012:23:58:17 +0300] "GET / HTTP/1.1" 200 44
188.25.51.52 - - [25/Jul/2012:23:58:17 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.51.52 - - [26/Jul/2012:00:01:38 +0300] "GET /favicon.ico HTTP/1.1" 404 209
188.25.51.52 - - [26/Jul/2012:00:02:33 +0300] "GET /favicon.ico HTTP/1.1" 404 209
86.125.49.108 - - [29/Jul/2012:16:45:46 +0300] "B\xf4\xd5\xb9\x92^\xa1\xb6iyb\xfb$\xaa_\xcbUcks\"J" 501 239
207.150.188.84 - - [01/Aug/2012:01:41:29 +0300] "HEAD / HTTP/1.0" 200 -
192.168.0.2 - - [07/Aug/2012:23:57:11 +0300] "GET / HTTP/1.1" 200 44
192.168.0.2 - - [07/Aug/2012:23:57:16 +0300] "GET /favicon.ico HTTP/1.1" 404 209
192.168.0.2 - - [07/Aug/2012:23:57:32 +0300] "GET / HTTP/1.1" 200 44
192.168.0.2 - - [07/Aug/2012:23:57:34 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:02:27 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:02:27 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:25 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:04:25 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:30 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:30 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:36 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:36 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:04:38 +0300] "GET / HTTP/1.1" 304 -
127.0.0.1 - - [08/Aug/2012:00:04:38 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:08:33 +0300] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [08/Aug/2012:00:08:53 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [08/Aug/2012:00:08:53 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [08/Aug/2012:00:36:33 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [25/Aug/2012:17:08:54 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [03/Sep/2012:19:09:57 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [03/Sep/2012:19:10:10 +0300] "GET / HTTP/1.0" 200 44
127.0.0.1 - - [17/Sep/2012:16:10:58 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [17/Sep/2012:16:10:58 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [30/Sep/2012:13:03:45 +0300] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [30/Sep/2012:13:03:46 +0300] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:19:03 +0200] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [03/Dec/2012:21:19:04 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:19:04 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [03/Dec/2012:21:23:26 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
85.122.132.5 - - [03/Dec/2012:21:26:27 +0200] "-" 408 -
91.233.135.60 - - [03/Dec/2012:21:27:38 +0200] "-" 408 -
188.25.48.199 - - [03/Dec/2012:21:27:40 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x1 6" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\ xb3" 501 231
188.25.102.227 - - [03/Dec/2012:21:29:11 +0200] "GET /PasswareKit8.tar.gz HTTP/1.1" 200 7135482
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226
127.0.0.1 - - [13/Dec/2012:14:29:09 +0200] "GET / HTTP/1.1" 200 44
127.0.0.1 - - [13/Dec/2012:14:29:09 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [13/Dec/2012:14:29:10 +0200] "GET /favicon.ico HTTP/1.1" 404 209
 
Old 12-13-2012, 08:59 AM   #14
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Quote:
The easiest way would have been to limit the firewall to only allow traffic between your web server and this persons address.
Yes, I know, with the -s option (source) to iptables. Thanks
 
Old 12-13-2012, 09:33 AM   #15
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,170
Blog Entries: 4

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Quote:
Originally Posted by mitusf View Post
Code:
94.65.29.90 - - [03/Dec/2012:21:28:20 +0200] "\b\xde\xa9H\xdb]YUh\xbd\xb3\x7fL\x9a\xe7G\xb6\x81]^\xd8_]\x9b-" 501 223
94.66.79.120 - - [03/Dec/2012:21:28:29 +0200] "/3\xc1\x8b\xa8\xc1\xcc\x8ea\x18\xf9\x87\x80\x83\x90\x02bI\xad\xd4cD\x18\xa5\xef=\x06v\x86\xdfp\xc4\x16" 501 231
95.103.136.143 - - [03/Dec/2012:21:28:41 +0200] "\x9f\xd6\x8eC\x04\xf35\vA G\x14\xa2\x16\xf4\xe8\xf3\xf4\xe5\xe4uoR\xb8" 400 226
84.15.177.165 - - [03/Dec/2012:21:28:47 +0200] "-" 408 -
213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207
188.36.179.170 - - [03/Dec/2012:21:29:11 +0200] "\x9a\xaa\xde\xa9\x82\x9f\xda4w\x88\xa4^\xd5\xbf\xe3Z~\xf1E\xf2T\xff\x8b\x07P\xe9U\xac\xd5\xceX\xa4\xb3" 501 231
41.139.170.246 - - [03/Dec/2012:21:29:32 +0200] "-" 408 -
91.225.97.245 - - [03/Dec/2012:21:30:58 +0200] "\xf0b\x06\xac\x1d$\xb5\xb0-\x1dz\x1d\xa0\xfd" 400 226
89.137.201.85 - - [03/Dec/2012:21:31:59 +0200] "-" 408 -
92.37.121.251 - - [03/Dec/2012:21:32:07 +0200] "\xc7\xe0\xc9\x8a\xb8\x8f\xfcv\xaa<C\xc6\x1c\x02\x10\x7f%@\x05\xa9\xb6d7\xed\xba\xa6\xca\xab\xed[" 501 231
62.4.63.34 - - [03/Dec/2012:21:32:31 +0200] "-" 408 -
84.44.172.84 - - [03/Dec/2012:21:32:43 +0200] "\x98\xafe\xc1\xfa\tYHo'H[\xd0}+\xf4\xc5\x15\x85\xf5 \xe2F\xfd\xca]\xc1\xf6\xd67\xa5\x85l" 400 226
77.28.252.91 - - [03/Dec/2012:21:33:22 +0200] "\xb5\x02E\xaa \x04\"\xeco\xba\xedY\xa6K\xc2\x94[\xba \x0fx\x9bmD\xc5F\xeb\xe7\xcd\x9f\x13\xf6fz\xe1\xff\x9a\xc2Y\x90@\x88\x16" 400 226
The above looks like shell-code in hexadecimal.
Quote:
58.19.177.4 - - [09/Mar/2012:12:53:46 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1" 404 220
58.19.177.4 - - [09/Mar/2012:12:53:50 +0200] "GET //phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:51 +0200] "GET //phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:52 +0200] "GET //phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:56 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:57 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:53:58 +0200] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:53:59 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:00 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 228
58.19.177.4 - - [09/Mar/2012:12:54:09 +0200] "GET //phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:10 +0200] "GET //phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 224
58.19.177.4 - - [09/Mar/2012:12:54:11 +0200] "GET //phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 228
and the below looks like it's checking for phpMyAdmin exploit targets.
The "404 nnn" pairs are just apache error codes (the first one is anyway)

Last edited by Habitual; 12-13-2012 at 09:36 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Script - Find time between entries in log file blsimpson Linux - Newbie 16 07-24-2012 06:03 PM
Parsing The Entries of a BIND log Query file Balvinder87 Linux - Security 2 07-12-2012 08:03 AM
Centos 6 Log file entries therockatmsu Linux - Server 2 07-03-2012 08:51 AM
httpd access log entries hywaydave Linux - Security 3 02-11-2005 03:39 PM
Weird entries in log file KennyK Linux - Security 4 10-17-2003 08:28 PM


All times are GMT -5. The time now is 10:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration