What do these httpd log file entries mean?

unSpawn · 12-13-2012, 10:13 AM

It took me a while to notice there's no HTTP method involved, so these aren't valid HTTP requests (=clients?) to begin with.

Quote:

Originally Posted by mitusf

just in case someone wants to make an ideea

Do you plan to enable iptables logging and capture packets as well?

mitusf · 12-13-2012, 11:04 AM

Yes, but first I must see how to do it (the firewall logging), I have not any ideea so far, and with Wireshark, I suppose I must let the computer working for days, until I "receive" the custom salute from the outsiders.

Ah, ok, it's the LOG target, but where it is the info logged?

I think that without being set up (iptables log in syslogd and logrotate) it is logged by dmesg but within it's limits, I think. So, I must learn how to set up loging of iptables in syslogd and then logrotate. Maybe I am wrong but this is what I think.

BRW, is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here?

unSpawn · 12-13-2012, 11:23 AM

'man iptables':

Code:

LOG
   Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel
 will print some information on all matching packets (like most IP header fields) via the kernel 
log (where it can be read with dmesg or syslogd(8)). This is a "non-terminating target", i.e. rule
 traversal continues at the next rule. So if you want to LOG the packets you refuse, use two sepa-
rate rules with the same matching criteria, first using target LOG then DROP (or REJECT).

Quote:

Originally Posted by mitusf

Maybe I am wrong but this is what I think.

After thinking and before posting it would be good to consult your documentation. What you wrote about only concerns you if you don't run syslogd and don't run a logrotate cron job.

Quote:

Originally Posted by mitusf

is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here?

Fastest way to display nfo with (networking) tool is to avoid any resolving. Often (ls, lsof, netstat, iptables, tcpdump, etc, etc) applications have "-n" switch for that. BTW, why would we need to see 'netstat' output?

mitusf · 12-13-2012, 11:49 AM

I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.

You're right about reading the documentation first. Sorry about that hurry.

unSpawn · 12-13-2012, 12:15 PM

Quote:

Originally Posted by mitusf

I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.

Do you have a gut feeling, suspicion or clue your machine may be compromised?

mitusf · 12-13-2012, 12:20 PM

Sincerely, I hope and I don't really believe that was compromised, but I think these were only tries to break in. This is my feeling, after a behavior analyze of the "attacks" in the server log, without knowing the server's internals.

unSpawn · 12-13-2012, 01:22 PM

Then lets stick with logging web server requests, firewall connections and capturing packets with

Code:

tcpdump -n -nn -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80'

' for now?

mitusf · 12-13-2012, 01:27 PM

Here is another fresh log record:

Quote:

46.38.41.11 - - [13/Dec/2012:20:59:16 +0200] "GET http://www.yahoo.com/ HTTP/1.1" 200 44

Do you know what happend? I have read that code 200 means that something was delivered, but what? I don't get it.

Your command seems a litle too complicated for me right now. Maybe later I would be able to decode it.

Update: the IP is from Rusia

mitusf · 12-14-2012, 05:36 PM

unSpawn, thank you for your answer, it was really interesting, though I need more studying about the syntax call of tcpdump. Also, what means the -nn flag, I didn't find it in the man page, maybe I should try with info?

unSpawn · 12-14-2012, 09:00 PM

-nn Don't convert protocol and port numbers etc. to names either.
Come to think of it just
tcpdump -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80'
should do because you're logging to file.

mitusf · 12-15-2012, 04:30 AM

Quote:

Originally Posted by OlRoy

Seeing logs that contain hex and some printable ascii characters, makes me think binary data, and possibly shellcode.

213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207

Code:

$ rasm2 -d 'eb e1 2c df 89 d4 45 b4 ea'
jmp 0x8047fe3
sub al, 0xdf
mov esp, edx
inc ebp
mov ah, 0xea

I'm definitely not familiar enough with Linux shellcode to say whether that is part of valid shellcode, but the above are all very common instructions. As unSpawn was saying, it's hard to say much without more context...

Thank you very much OlRoy, your response opened to me a totally new and interesting perspective. Thanks!