LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Suspicious looking Apache log entries (https://www.linuxquestions.org/questions/linux-security-4/suspicious-looking-apache-log-entries-173517/)

linuxpyro 04-22-2004 08:45 PM
Suspicious looking Apache log entries
 
I recently checked my Apache access log, and found these lines:

67.21.84.213 - - [22/Apr/2004:19:19:55 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:19:56 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:19:57 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:00 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:01 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:03 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:04 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:06 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:08 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:09 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:11 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:13 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:15 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:17 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:19 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:20 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:22 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:23 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:25 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:26 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:29 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:31 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:32 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:35 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:36 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:38 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:39 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:41 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:51 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:21:49 -0700] "GET / HTTP/1.1" 200 747

I've seen this sort of thing in other places, too. It looks like the work of a script rather than a person. Is this some kind of breakin attempt? Anyone had this happen before? Interestingly, I did a lookup of the IP address, and found that it belonged to an ISP customer in my area.

markus1982 04-24-2004 11:20 AM
Well from this point of view it looks like legitimate traffic (just a normal GET-REQUEST). However for further information you probably should take a look at mod_security (www.modsecurity.org) and it's logging capabilities.

linuxpyro 04-24-2004 08:11 PM
Ok, I'll check that out. It just seems odd though, as it occures in such rapid succession.

Inexactitude 04-24-2004 11:02 PM
I get similiar log entries, except it reports the operating system and browser. The operating system is always "Windows 98" and the browser is always IE 5.5. It's a little strange, but doesn't seem to have any malignant effects.

linuxpyro 04-25-2004 02:54 PM
Thanks, I guess it could just be some little quirk of Windoze or something. As long as it's not some script kiddie I really don't mind...


All times are GMT -5. The time now is 08:38 AM.