Possible Apache exploit / 404 NOT FOUND
Can anyone tell me how I would find out what someone was trying to run against my apache server?
On Thursday, I saw this entry from logwatch under 404 NOT FOUND Quote:
Quote:
and got the following display on my screen. Code:
q1w2e3r4t5y6u7i8o9p0*a-b: |
It could be someone looking for a vulnerable php script - but since it's not on your server, it's probably not worth worrying about.
|
It's also possible that it's an automated search for unprotected proxy servers. Last night I got a web request in my logs from 218.71.245.2 trying to proxy a request to umsky.com:
Code:
218.71.245.2 - - [01/Jan/2006:17:29:19 +1000] "GET http://umsky.com/px.php?p=q1w2e3r4t5y6u7i8o9p0q&f=proxy&p=203.206.82.44:80&sv=0&r=44543 HTTP/1.1" 403 208 "http://umsky.com/ref.php?r=58491" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Here's the output from http://www.apnic.net/apnic-bin/whois.pl for 218.71.245.2: Code:
inetnum: 218.71.192.0 - 218.71.255.255 Code:
inetnum: 202.101.165.128 - 202.101.165.191 |
It's also possible that it's an automated search for unprotected proxy servers.
Yes, it is script for testing proxies and it's not that good. |
You can run Snort and take a look at the alert logs. The logs show the expoit and offending IP address. I move them to my blacklist on the firewall.
|
Report it to postmaster@dcb.hz.zj.cn, and possibly also anti-spam@mail.tzptt.zj.cn, anti-spam@ns.chinanet.cn.net and antispam@dcb.hz.zj.cn (I know it wasn't spam, but those are the addresses registered on Abuse.net).
|
All times are GMT -5. The time now is 08:46 AM. |