locating log showing hacking?
Recently, I had a knucklehead try to hack my server. The LogWatch report showed he/she tried to get in. I did a whois on the ip, and notified the ISP. They want to see my log file. I have checked access_log, error_log, messages, and secure, and can't find it. Does LogWatch look for these types of hacks in a different log? I am running Fedore Core2.
thanks in advance! Ralph -------------------------------------- --------------------- httpd Begin ------------------------ 1.32 MB transfered in 247 responses (1xx 0, 2xx 180, 3xx 33, 4xx 34, 5xx 0) 101 Images (525024 bytes), 0 Documents (0 bytes), 0 Archives (0 bytes), 0 Sound files (0 bytes), 0 Movies files (0 bytes), 16 Windows executable files (4881 bytes), 108 Content pages (650504 bytes), 3 Redirects (648 bytes), 0 Proxy Configuration Files (0 bytes), 0 Program source files (0 bytes), 0 CD Images (0 bytes), 19 Other (200615 bytes) Attempts to use 3 known hacks were logged 32 time(s) cmd.exe by 66.47.226.71 14 time(s) \/c\+dir by 66.47.226.71 16 time(s) root.exe by 66.47.226.71 2 time(s) A total of 1 sites probed the server 66.47.226.71 |
In fedora, you can find log messages in /var/log/messages , /var/log/secure and http-specific messages in /var/log/httpd/access_log
For what it's worth, those 32 known exploits are windows exploits. cmd.exe and root.exe are the windows command shell (actually root.exe is usually a copy of cmd.exe that is created by infection with code red windows worm). Probe/exploit attempts like the one you saw are very often automated scans by windows systems infected with the Nimda worm (another windows-only worm). |
All times are GMT -5. The time now is 01:54 AM. |