I use LogWatch on my system. I found the following entry:

--------------------- httpd Begin ------------------------

10.66 MB transferred in 89 responses (1xx 0, 2xx 80, 3xx 1, 4xx 8, 5xx 0)
27 Images (10.37 MB),
60 Content pages (0.29 MB),
2 Other (0.00 MB)

Attempts to use known hacks by 1 hosts were logged 2 time(s) from:
80.154.35.16: 2 Time(s)
passwd$ 1 Time(s)
/\.\./\.\./\.\./ 1 Time(s)

A total of 1 sites probed the server
80.154.35.16

----------------------
What's this? Ok, so I'm guessing he used a port scanner on me - that's what "probed" means, right? (My server is behind a router and its firewall blocks all ports except 80.)

But what the hell is "passwd$" and "/\.\./\.\./\.\./"? I tried looking in /etc/httpd/log to get more information, but it appears that the system has already deleted the logfile which might have contained entries from this date. (Yeah, I know I need to stay on top of this stuff better.) Is there another way to tell if there was a successful intrusion here?

By seeing the words "known hacks," can I assume that my HTTP daemon is already wise to the tricks that the blackhat was using, and therefore that it successfully blocked him?

Thanks in advance.

Someone is trying to run a well known exploit, that attempts to use a misconfigured web server, and it backs out of the current dir using '../..' in an attempt to get to the root dir.

They're attempting to get a list of your user by grabbing passwd by backing up in the hierarchy.

Many web servers are already configured to not allow this, but if you're worried about it, you can look into apache's security options, and mod_security


-Rob