Strange Apache HTTPD log entry
Hey all:
I was using Logwatch to review my HTTP server logs and I noticed the following entry: --------------------- httpd Begin 404 Not Found . . . /saddam.html++++++++++++++++++++++++++++++ ... +to+internet%29: 1 Time(s) ---------------http End The last line is pasted in exactly as shown in the log. Saddam.html is a static hypertext document present on the server. Robots access it and other such documents there frequently. Obviously someone (or a robot) tried to request a document that wasn't present, resulting in a 404. Question is, what exactly was the requestor trying to do? I have never seen anything like this in my logs before, and am not even sure how to phrase an appropriate Google search for answers. I am hoping someone here can shed some light on this. Thanks, Matt |
Quote:
|
How do I know if the attack succeeded or not? The wikipedia page explains what the attack consists of, but little about stopping these attacks or determining their impact.
|
security is one big topic in itself. the answer to your question could be either a few hundred pages long or short, but very general.
so here's a short answer - check the log files, look for unusual activities on the box (processes, files), check for presence of rootkits.... or even shorter - familiarize yourself wihh linux system administration |
What I would do is 1) trace back that entry in your webserver logs, then grep all services and system logs for the related IP address. That way you get a more complete view of what it's been up to. If there's multiple entries you know somebody has been trying blindly, if it's just that one entry it gets "interesting". 2) Next to that you might want to check your OS installation by verifying integrity if your package manager is capable of doing that (please fill in your OS details in your profile). If unsure use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html as checklist. Chances are it's just that entry, but practicing and getting aquainted with the checklist *before* something happens isn't a bad thing. If you can't make head or tails of your log entries post them here in full. Just in case some log content just doesn't show up "right" when posted you're invited to e-mail me.
|
First, thank you for your reply. Here are the log entries containing the relevant information. By the way, I am running CentOS 5, in case that's important.
Only one log file, /var/log/httpd/error_log.1, seems to have any mention of the offending IP address: /var/log/httpd#cat error_log.1 |grep 89.149.241.126 [Fri Mar 28 03:23:54 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+, referer: http://<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29 [Fri Mar 28 03:23:58 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forum, referer: http://forum.<deleted>.com/forum/index.php [Fri Mar 28 03:23:58 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb, referer: http://forum.<deleted>.com/phpbb/index.php [Fri Mar 28 03:23:59 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb2, referer: http://forum.<deleted>.com/phpbb2/index.php [Fri Mar 28 03:23:59 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forums, referer: http://forum.<deleted>.com/forums/index.php [Fri Mar 28 03:24:00 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/board, referer: http://forum.<deleted>.com/board/index.php [Sat Mar 29 09:08:07 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+, referer: http://<deleted>.com/saddam.html+++++++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29+Result:+it+is+not+a+forum+/+guestbook+%28or+no+connection+to+internet%29 [Sat Mar 29 09:08:09 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forum, referer: http://forum.<deleted>.com/forum/index.php [Sat Mar 29 09:08:10 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb, referer: http://forum.<deleted>.com/phpbb/index.php [Sat Mar 29 09:08:10 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/phpbb2, referer: http://forum.<deleted>.com/phpbb2/index.php [Sat Mar 29 09:08:11 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/forums, referer: http://forum.<deleted>.com/forums/index.php [Sat Mar 29 09:08:11 2008] [error] [client 89.149.241.126] File does not exist: /var/www/html/board, referer: http://forum.<deleted>.com/board/index.php I've removed my server's name for security reasons. What's curious is that the attack seems to be focused on one of the hosted domains, not the main webserver. Nonetheless, this entry shows up in the "main" error log, not the one corresponding to that domain. My web server and its hosted domains don't have any forums, just a collection of static HTML pages. It almost looks like the attacker was trying to exploit some weakness in forum posting software, and that he didn't get very far because I don't have any forums. Am I on the right track here? I read up a little on the buffer overflow attack that ChooseLife alluded to, but it appears any weaknesses there would have to be addressed by programmers, not me. It would certainly be far, far over my head. I'll fill out my profile and review that checklist you mentioned, thanks. |
It's a spam bot...
Quote:
Quote:
Quote:
The posts all start with common keywords related to pr0n, often with celebrity names and often media. Sometimes the bot results are posted as text, but more commonly it's HTML-code starting with a span class with a one pixel font-size, followed by URI's, followed by (one) pixel GIFs. Grepping pages for these pseudo-regex combo's: Code:
# IFS: Quote:
|
All times are GMT -5. The time now is 09:04 PM. |