LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Logwatch: suspicious output
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2006, 09:56 AM   #1
mdw10
LQ Newbie
 
Registered: Oct 2004
Posts: 4

Rep: Reputation: 0
Logwatch: suspicious output

Dear All,

I have just set up my FC box to be a webserver (latest updates insatlled). In my logwatch entry I get the followin messages, have I been hacked already??? Any help is appreciated...

--------------------- httpd Begin ------------------------


Requests with error response codes
401 Unauthorized
/phpMyAdmin-2.7.0-pl1/: 4 Time(s)
/phpMyAdmin-2.7.0-pl1/db_details_structure ... utf8_general_ci: 2 Time(s)
/phpMyAdmin-2.7.0-pl1/left.php?&server=1&d ... utf8_general_ci: 2 Time(s)
404 Not Found
/articles/mambo/index2.php?_REQUEST[option ... cho%20YYY;echo|: 2 Time(s)
/blog/xmlrpc.php: 2 Time(s)
/blog/xmlsrv/xmlrpc.php: 2 Time(s)
/blogs/xmlsrv/xmlrpc.php: 2 Time(s)
/cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 2 Time(s)
/cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 2 Time(s)
/drupal/xmlrpc.php: 2 Time(s)
/index2.php?option=com_content&do_pdf=1&id ... cho%20YYY;echo|: 2 Time(s)
/mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 2 Time(s)
/phpgroupware/xmlrpc.php: 2 Time(s)
/wordpress/xmlrpc.php: 2 Time(s)
/xmlrpc.php: 3 Time(s)
/xmlrpc/xmlrpc.php: 1 Time(s)
/xmlsrv/xmlrpc.php: 1 Time(s)
405 Method Not Allowed
/wwwdir: 3 Time(s)
503 Service Unavailable
/moodle/: 1 Time(s)

---------------------- httpd End -------------------------
 
Old 02-18-2006, 11:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,417
Blog Entries: 55

Rep: Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627Reputation: 3627
have I been hacked already
The reported lines are probes for software with known vulnerabilities like PHP's XMLRPC handling. If you don't run any of that software, or if you *made sure* you run *verified safe* versions (updated to latest), these probes should not have been successful, and the 4xx and 5xx errorcodes provide positive indication of that. This does not mean there are other vectors of attack (for instance because it does not get reported). Please make sure your host is hardened properly, you update your software regularly, audit the box regularly and that have accessable software properly ACL'ed (daemon configs, Xinetd, TCP wrappers, firewall) where applicable.

Please check out the LQ FAQ: Security references for more.
Last edited by unSpawn; 02-18-2006 at 01:33 PM. Reason: //Correct myself: reporting alone isn't 100% proof.
 
Old 02-18-2006, 02:11 PM   #3
mdw10
LQ Newbie
 
Registered: Oct 2004
Posts: 4

Original Poster
Rep: Reputation: 0
I do run phpMyAdmin-2.7.0-pl1 where can I find out the IP for this unauthorized entry (it may have been me)

Thx 4 the help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
suspicious sgi_fam behavior jbeiter Linux - Security 2 09-07-2004 05:24 AM
suspicious log activity hoedad Linux - Newbie 3 07-26-2004 07:33 AM
Suspicious modem-driver MadCactus Linux - Security 1 03-02-2004 05:26 PM
suspicious outbound connections di11rod Linux - Networking 13 01-23-2004 02:55 AM
Suspicious network traffic Config Linux - Security 9 03-09-2003 07:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:01 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration