Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-07-2007, 01:23 AM
|
#1
|
|
LQ Newbie
Registered: May 2007
Distribution: redhat,CentOS
Posts: 4
Rep: 
|
hacker attack my webserver?
first thing,thanks for win32sux.
the mod_security2 is ok.
in my apache access logs.I am find under logs.
what means this?attack?
71.92.67.11 - - [03/Aug/2007:04:32:34 +0800] "GET / HTTP/1.1" 200 1456
68.102.148.23 - - [03/Aug/2007:04:48:45 +0800] "GET / HTTP/1.1" 200 1456
219.89.195.22 - - [03/Aug/2007:04:53:38 +0800] "GET / HTTP/1.1" 200 1456
172.192.252.178 - - [03/Aug/2007:04:56:42 +0800] "GET / HTTP/1.1" 200 1456
72.243.145.31 - - [03/Aug/2007:05:01:00 +0800] "GET / HTTP/1.1" 200 1456
67.132.13.146 - - [03/Aug/2007:05:04:49 +0800] "GET / HTTP/1.1" 200 1456
116.121.107.198 - - [03/Aug/2007:05:19:48 +0800] "GET / HTTP/1.1" 200 1456
..................
68.189.6.27 - - [03/Aug/2007:16:05:06 +0800] "GET / HTTP/1.1" 200 437
220.226.233.188 - - [03/Aug/2007:16:06:08 +0800] "GET / HTTP/1.1" 200 437
72.161.44.253 - - [03/Aug/2007:16:06:12 +0800] "GET / HTTP/1.1" 200 437
221.169.244.153 - - [03/Aug/2007:16:10:12 +0800] "GET / HTTP/1.1" 200 437
.................
57.250.245.249 - - [03/Sep/2007:06:58:32 +0800] "GET / HTTP/1.1" 200 97
86.0.51.82 - - [03/Sep/2007:07:01:19 +0800] "GET / HTTP/1.1" 200 97
207.235.120.172 - - [03/Sep/2007:07:02:03 +0800] "GET / HTTP/1.1" 200 97
142.177.25.185 - - [03/Sep/2007:07:02:15 +0800] "GET / HTTP/1.1" 200 97
205.158.116.232 - - [03/Sep/2007:07:02:42 +0800] "GET / HTTP/1.1" 200 97
210.83.227.5 - - [05/Sep/2007:02:37:47 +0800] "GET /NULL.printer HTTP/1.0 " 404
291
210.83.227.5 - - [05/Sep/2007:02:37:50 +0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb뢐�矮
000莋”䂋դŐ邐=x&\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\t\x90\x90\x90_\xeb
....................
212.72.162.197 - - [04/Aug/2007:19:53:53 +0800] "POST /xmlrpc.php HTTP/1.1" 404
286
212.72.162.197 - - [04/Aug/2007:19:53:55 +0800] "POST /blog/xmlrpc.php HTTP/1.1"
404 291
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blogs/xmlsrv/xmlrpc.php H
TTP/1.1" 404 299
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blog/xmlsrv/xmlrpc.php HT
TP/1.1" 404 298
212.72.162.197 - - [04/Aug/2007:19:54:03 +0800] "POST /drupal/xmlrpc.php HTTP/1.
1" 404 293
Last edited by shanya; 09-07-2007 at 01:26 AM.
|
|
|
|
|
09-07-2007, 03:59 AM
|
#2
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by shanya
Code:
210.83.227.5 - - [05/Sep/2007:02:37:47 +0800] "GET /NULL.printer HTTP/1.0 " 404
291
210.83.227.5 - - [05/Sep/2007:02:37:50 +0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb뢐�矮
000莋”䂋դŐ邐=x&\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\t\x90\x90\x90_\xeb
|
This IP has tried a Microsoft IIS buffer overflow exploit on your server.
It's actually a pretty common sight.
Last edited by win32sux; 09-07-2007 at 05:39 PM.
Reason: Added Wikipedia link.
|
|
|
|
|
09-07-2007, 08:04 AM
|
#3
|
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep: 
|
Quote:
Originally Posted by shanya
first thing,thanks for win32sux.
the mod_security2 is ok.
212.72.162.197 - - [04/Aug/2007:19:53:53 +0800] "POST /xmlrpc.php HTTP/1.1" 404
286
212.72.162.197 - - [04/Aug/2007:19:53:55 +0800] "POST /blog/xmlrpc.php HTTP/1.1"
404 291
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blogs/xmlsrv/xmlrpc.php H
TTP/1.1" 404 299
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blog/xmlsrv/xmlrpc.php HT
TP/1.1" 404 298
212.72.162.197 - - [04/Aug/2007:19:54:03 +0800] "POST /drupal/xmlrpc.php HTTP/1.
1" 404 293
|
The above is a lupper-style attack (see http://vil.nai.com/vil/content/v_136821.htm for a description, variants...). These are also common, but affects sites that serve dynamic content. Unless you run a site with a PHP backend, this traffic shouldn't warrant concern, IMO. In my case, I tell modsecurity to respond to requests for PHP content with a 404 HTTP code. |
|
|
|
All times are GMT -5. The time now is 04:39 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
