newbie question: do these logs show a hack attempt
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
newbie question: do these logs show a hack attempt
Hello,
I am new to Linux, liking it much more than windows every day. I have set up a very simple server and was wondering if someone could look at the access_log files and tell me if they look suspicious.
Or is it just harmless server chatter.
I noticed they were trying to execute?? .../cmd.exe, root.exe and c+dir commands.
By the way, can anyone tell me how to get good realtime monitoring for a small server, ie to see whos online and how long they have been browsing etc? I have looked in my bible and online and can find nothing comprehensive about it, accept for /server-info and /server-status both of which I cannot seem to get working.
IIRC, that looks like a Nimda scan. It's a Microsoft worm that looks for a series of exploits in MS IIS webservers . Aside from the annoying amount of length they take up in your access_log files, they are harmless to all non-microsoft webservers.
Several of the lines look for common misconfigurations, several attempt to execute commands by using the double-decode weakness to move into the server root. Either way you don't have to worry.
server-status is usually running by default. Access might be restricted to the loopback interface (http://127.0.0.1/server-status).
However, could someone please help; I cannot seem to get .../server-status working at all. I have edited httpd.conf in the .../apache2/conf file
here is a bit from my httpd.conf
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
I have turned extended server status on, and still nothing?
I am using redhat 9 with the latest downloaded apache, and I cannot figure out why server-status is not working.
If it was working should there be a file called server-status in the /htdocs file?
If you have a static ip address, all you have to do is put that in there. You can even put in a partial address, like 192.168. (which would allow access from the whole subnet). So if you want to access the server status page from 192.168.1.2, your httpd.conf file would look like this:
#
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.1.2
</Location>
Make sure that you are uncomenting the server status section as well as restarting apache so that it re-reads the .conf file. If apache is up and running, you should be able to access it. (I just tried this on a fresh install and it works)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
