strange logwatch security entry
I use LogWatch on my system. I found the following entry:
--------------------- httpd Begin ------------------------
10.66 MB transferred in 89 responses (1xx 0, 2xx 80, 3xx 1, 4xx 8, 5xx 0)
27 Images (10.37 MB),
60 Content pages (0.29 MB),
2 Other (0.00 MB)
Attempts to use known hacks by 1 hosts were logged 2 time(s) from:
80.154.35.16: 2 Time(s)
passwd$ 1 Time(s)
/\.\./\.\./\.\./ 1 Time(s)
A total of 1 sites probed the server
80.154.35.16
----------------------
What's this? Ok, so I'm guessing he used a port scanner on me - that's what "probed" means, right? (My server is behind a router and its firewall blocks all ports except 80.)
But what the hell is "passwd$" and "/\.\./\.\./\.\./"? I tried looking in /etc/httpd/log to get more information, but it appears that the system has already deleted the logfile which might have contained entries from this date. (Yeah, I know I need to stay on top of this stuff better.) Is there another way to tell if there was a successful intrusion here?
By seeing the words "known hacks," can I assume that my HTTP daemon is already wise to the tricks that the blackhat was using, and therefore that it successfully blocked him?
Thanks in advance.
Last edited by cylarz; 08-11-2009 at 01:06 AM.
|