spike in 401, 402, and 403 apache log entries.

rioguia · 12-11-2005, 03:05 PM

For the past several weeks, my httpd logs (as reported by logwatch) have seen a huge 5000% upswing in 401, 403, and 404 entries. Most of them seem associated with login url's (see below). At first I thought it was just some errant search spider and checked and rechecked my robots.txt files (for some reason these are reported not found) Some of this software has never been installed on my server.

Today I noticed a log with an apparent web vulnerability scanner:

400 Bad Request /: 1 Time(s) /w00tw00t.at.ISC.SANS.DFind

: 1
according to http://isc.sans.org/diary.php?storyid=900

Is this the Lupper Worm discussed at this thread
http://www.linuxquestions.org/questi...d.php?t=381248
or is it a separate problem?

My logs are as follows:
401 Unauthorized
/?%22Vocal_Arrangement%22_from_Edweek.org&login: 1 Time(s)
/?&login: 15 Time(s)
/?Animation&login: 2 Time(s)
(24 other similar itterations omitted for brevity.

/?Who_We_Are&login: 4 Time(s)
/files: 2 Time(s)
/files/: 2 Time(s)
/files2: 1 Time(s)
/files2/: 1 Time(s)
/index.php?name=Members_List: 1 Time(s)
/usage/vh06: 1 Time(s)
403 Forbidden
/files/: 2 Time(s)
/files2/: 13 Time(s)
/files2/webadmin.php: 1 Time(s)
/plans/theme/: 1 Time(s)
/slide/?directory=upload&currentPic=15: 1 Time(s)
404 Not Found
/%20%20%20Dec%2023,%202004: 2 Time(s)
/UPLOAD/index.php: 1 Time(s)
/UPLOAD/index.php?action=view&filename=temp.jpg&directory=&: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/backend.php: 1 Time(s)
/blog/xmlrpc.php: 1 Time(s)
/blog/xmlsrv/xmlrpc.php: 1 Time(s)
/blogs/xmlsrv/xmlrpc.php: 1 Time(s)
/cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/backend.php: 1 Time(s)
/blog/xmlrpc.php: 1 Time(s)
/drupal/xmlrpc.php: 1 Time(s)

/favicon.ico: 93 Time(s)
/files3/qtof.php: 1 Time(s)
/files3/qtofm.php: 1 Time(s)
/files9/: 1 Time(s)
/images/css.gif: 1 Time(s)
/images/html401.gif: 1 Time(s)
/mrcstudio.com/images/bannerkargermrcookie.gif: 2 Time(s)
/phpgroupware/xmlrpc.php: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=1: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=2: 1 Time(s)
/plans_7.0/plans.cgi?active_tab=2&add_edit_cal_action=add: 1

(15 similar iterations to the above omitted)

/robots.txt: 26 Time(s)
/slide/phpslideshow.php?directory=photomanager: 2 Time(s)
/sumthin: 1 Time(s)
/templates/black/flowHeaderBG2.jpg: 1 Time(s)
/templates/black/flowNavBG.jpg: 1 Time(s)
/templates/black/images/middle_bg.jpg: 1 Time(s)
/templates/green/menu/doc.gif: 10 Time(s)
/templates/greennews/menu/doc.gif: 6 Time(s)
/ultramode.txt: 1 Time(s)
/webadmin.php: 1 Time(s)
/wordpress/xmlrpc.php: 1 Time(s)
/xmlrpc.php: 2 Time(s)
/xmlrpc/xmlrpc.php: 1 Time(s)
/xmlsrv/xmlrpc.php: 1 Time(s)

Capt_Caveman · 12-11-2005, 07:53 PM

For the past several weeks, my httpd logs (as reported by logwatch) have seen a huge 5000% upswing in 401, 403, and 404 entries.
Are these from relatively random IP addresses or from a single host or domain?

400 Bad Request /: 1 Time(s) /w00tw00t.at.ISC.SANS.DFind: 1 according to http://isc.sans.org/diary.php?storyid=900 Is this the Lupper Worm discussed at this thread http://www.linuxquestions.org/questi...d.php?t=381248 or is it a separate problem?
No, it's not lupper, but if you look at the advisory you'll see it's a vulnerability scanner. However, some of the URLs that you posted below that do look like lupper (the xmlrpc.php, drupal, and awstats stuff). Not sure what a few of the other things are, several look like attempts to proxy (like the edweek.org and mrcstudio.com) though I can't tell without seeing the entire Apache error message. You also hav a few other random scanners mixed in, like the /sumthin banner-grabber.

As long as you are getting 4xx codes for those requests and either don't have any of that software installed (PHP, awstats, drupal) or have it all kept updated with security patches, then you should be alright. You may want to think about banning any IPs that repeatedly try to abuse the server and you might also want to look into mod_security.

You also said you had a massive increase in log entries. How many of these are login attempts? Do you even do any authentication, like htaccess or basic auth on this server? If so, do the login attempts look like a bruteforce attempt.

Also you might want to take a look at the Apache logs directly rather than the logwatch summary.