Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Dear All,
I notice there is two lines /KoolTabs/kooltabs.php?32981a13284db7a9021131df49e6cd203 and /KoolTabs/styles/silver/silver.css in my log 403 Not Found error. We are wondering as risk via this tool or any known penetration so that we can stop using it too.
Dear Unspawn,
For example I am using is say folder /abc/v1/kooltabs but the error was found to be /kooltabs. So it means they have attempted to scan for it right?
So it means they have attempted to scan for it right?
Like other tools Logwatch only analyses events leaving the final vuln / not vuln verdict to the person doing the analysis. So if the resource was searched for in the cause of a regular browsing session (grep access / error logs for IP address) then the developer could have made an error but if other resources include only often scanned for ones like web-based management panels or other commonly known vulnerabilities then it was likely scanned for.
Dear Unspawn,
I have google on the kooltabs so far did not find any vuln linking to it either. I dont really get you here "So if the resource was searched for in the cause of a regular browsing session (grep access / error logs for IP address) then the developer could have made an error but if other resources include only often scanned for ones like web-based management panels or other commonly known vulnerabilities then it was likely scanned for." What do you mean here" You mean to first look for access and error logs is it? Ok based on the IP you want to determine is it valid access is it ? I dont get you here "developer could have made an error" ? What error you mean on programming or interpreting the results?
You mean to first look for access and error logs is it? Ok based on the IP you want to determine is it valid access is it ?
Yes. Just grep your access and error logs for that particular IP address, about 10 to 20 lines leading up to the KoolTabs one should do, and post the output here.
Dear Unspawn,
Something puzzle me here now I took all my log file for few months n when through manually. I notice this quite a number of times and what puzzle me is that most of the Directory index forbidden by Options directive have some referer but this one dont have. I am worried that they know my directory structure and trying to attack. Could it be any scanners?
Quote:
[Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] Directory index forbidden by Options directive: /var/www/html/*******/
[Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File does not exist: /var/www/html/images
[Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] Directory index forbidden by Options directive: /var/www/html/******/images/
[Sun Oct 13 12:33:51 2013] [error] [client 103.246.38.196] Directory index forbidden by Options directive: /var/www/html/******/KoolTabs/
Apart from accessing "/" these are all 30x to 40x type return codes. No harm done, the IP seems to be a scraper, but if you don't like it feel free to use something like fail2ban + ipset to block access.
Dear Unspawn,
Great but I want to learn this too. How do you know its scraper ? So which type of codes are harm full ? I have ban the ip from my firewall itself. But what surprises me is that the have traverse through my directory that worries me. They know my main directory and sub directories too. Any idea how they do ?
Search for the IP address using your favorite search engine.
Quote:
Originally Posted by newbie14
So which type of codes are harm full ?
A return code that indicates the remote host may access resources could mean a risk but that's not a given, it's only by taking all things into account you see what behavior the host has.
Quote:
Originally Posted by newbie14
But what surprises me is that the have traverse through my directory that worries me.
Depending on access patterns, four lines being not enough really, it's likely automated scanning for common resources, not a thought out attack.
Dear Unspawn,
Yes I search and got this link http://www.projecthoneypot.org/ip_103.246.38.196. So I guess we got to see the return 200 and then map with other behavior to ascertain if its legitimate or not ? I guess this is challenging rite. Actually can a scrapper know what are the directories available in my server from /var/www/html ? This scraper first when to one of my main directory and then only the kooltabs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
