I just read my apache logs, and it seems that something was looking for some windows exploits on the machine. How much should I expect stuff like this, is this something that is going to happen multiple times in a day, or is this a rarity and a cause for alarm?

It can vary depending on what range of IP addresses you're in, but for the most part you should just get used to it as it's a common thing. You can filter them out, but it's really costly in terms of system resources to do so. I just mostly ignore the windows-related stuff. If you think it's bad now, just wait until the next Microsoft IIs exploit comes out You'll be wishing you could pipe your logs to /dev/null.

Okay, I was just amazed that I was being scanned by nimda in such a short time. I was barely online and the scans started coming in. It seems that they come in every few hours.
Thanks.

Most people don't realize how nasty the 'net can be, so seeing your Apache logs fill with malicious traffic can be a kind of startling at first. You'll notice that some of the worms/viruses have a pretty static level, while others like several of the Code Red worms have engines that only attack hosts on certain parts of the month. It's been awhile, but I think a couple of them will only scan for vulnerable hosts after the 19th or something like that. So on the 19th of every month you'd walking in and see your Apache logs fill with hundreds of the CodeRed trademark XXXXXXXXXXX or NNNNNNNNNNNNN buffer overflow attempts. Kind of amusing looking back on it. Most variants were hard-coded not to spread after a certain date, so you don't see them nearly as much.

But you'll see plenty of IIs exploits, people hunting for open proxies, spiders looking for email addresses, etc. What you'll want to keep you're eyes open for is concerted probing. Someone starting out doing some info and banner-grabbing, then moving on to more malicious things like trying linux and even distro-specific exploits. It can be hard to spot that in the see of noise, and the more proficient the attacker the less obvious it will be. In general though, if you make sure to keep up to date with any patches for Apache and are smart about your systems security overall, you should be alright.

if you keep your apache up 2 date you need to worry not .. if you keep your server up2date you don't need to worry quite much ...

can you post a sample of what your Apache logs looked like...that is, the scans and malicious activity?

thanks

Sure. A scan for nimba would look something like this in your error log:

Also other weird trafic shows up in the logs, sucha connections to ports like 1.3.3.7, attempts to use the server as a proxy, long urls.
You kind of can tell if something is seriously probing, the thousands of GET request from nikto are fairly easy to find if someone isn't using evasion detection.

well i get all sort of scans on my server as well every day ... but as i said ... if you keep your software up2 date no need to worry ... i am currently running httpd2.0.48 with php4.3.4 , proftpd 1.2.9 mysql 4.0.17 and openssh 3.7.p2 ... all i need now is to make it stealth ...

Keeping your software updated is by no means the only step you should take in securing your box. Proper firewalling/access control, turning off un-needed services, setiing up a NIDS, and installing a file integrity scanner are all equally important steps in locking down your system.

Also, make sure that all services are configured properly, especially ones that are available from the internet.

setiing up a NIDS, and installing a file integrity scanner cpt caveman could u tell me more about those 2 things ??

NIDS is an acronym for Network Intrusions Detection System. These are programs that analyze network traffic in order to detect port scans, attacks and other malicious traffic. In most cases they are simply rule-based and attempt to match traffic to what those rules define as being "bad traffic". They are extremely helpfull in alerting you to the scans and probes that often preceed an attack or system compromse. Some even allow you to dynamically block traffic from a remote host if it detects malicious traffic. I've also seen (but never used) some NIDS which can do dynamic learning of what is "normal" traffic and then alert you when it detects something it considers abnormal (i.e. one of your hosts mysteriously sprouts a FTP server and starts producing Mb of traffic at 2am). There are lots available, with varying amounts of complexity, but some of the more common ones are Snort, and PortSentry.

A file integrity scanner is a piece of software which essentially detects changes in your filesystem. Of course you change your file system just by booting your system, but one best ways to detect compromise is to look for filesystem changes that indicate a rootkit has been installed and your system commands have been replaced with hacked versions that are designed to hide files that a cracker has placed on your system. That's actually how the compromises of Debian, Gentoo, and the FSF servers were discovered and the as of then unknown do_brk() exploit was identified. Usually a file integrity scanner functions by going through your entire system and making a hash of each file which it then enters into an encrypted database. When it performs a scan, it does the same thing but then compares the hash of each file to the hash in the database. Some include the file permisions and alteration dates in the hash as well. There are also a bunch of these available as well: tripwire, AIDE, AFICK, Samhain, etc.

The Security Refernces thread has link to most of those tools as well as more comprehensive docs as well :
http://www.linuxquestions.org/questi...threadid=45261

Is that a publicly accessible webserver? If yes, then attempting to "stealth" a publicly accessible server is like camoflaging the fort to blend into the mountain yet painting the front gate hot pink. Running publicly accessible services on your computer makes your server visible on the network.

Inexactitude -- > where on the machine (directory and file name) did you find this error?

thanks!

It's in the /var/log/httpd-error.log. Also, you can see who is accessing the server with /var/log/httpd-access.log.