LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-24-2018, 09:09 AM   #1
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Rep: Reputation: Disabled
Help Needed on Apache web server


I have few question regarding below message :

94.198.4.42 - - [31/May/2012:03:55:34 +0000] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 9185 "-" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16Flock/2.5.6"
  1. Who is accessing the site?
  2. From which country/city?
  3. What is he trying to do?
  4. Did he succeed? do you think it is a malicious or normal visit?
 
Old 06-24-2018, 10:18 AM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 1,230

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
More homework?
 
Old 06-24-2018, 10:20 AM   #3
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
More homework?
I am actually very new in Linux

Last edited by LEON71; 06-24-2018 at 10:25 AM.
 
Old 06-24-2018, 10:24 AM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 1,230

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Please read the LQ rules regarding homework. Posting homework verbatim is a violation.
Were not going to do you homework for you.
 
Old 06-24-2018, 10:39 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,194
Blog Entries: 3

Rep: Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404
You might take a look at your Apache2 setup's configuration file for the LogFormat directive(s) in use and then read the manual regarding the LogFormat directive itself and follow that up with reading on custom log formats. That will explain what each field is for.
 
Old 06-24-2018, 11:43 AM   #6
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,269

Rep: Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902Reputation: 4902
Quote:
Originally Posted by LEON71 View Post
I have few question regarding below message :

94.198.4.42 - - [31/May/2012:03:55:34 +0000] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 9185 "-" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16Flock/2.5.6"
  1. Who is accessing the site?
  2. From which country/city?
  3. What is he trying to do?
  4. Did he succeed? do you think it is a malicious or normal visit?
So:
  1. Look at the IP address and go look it up on any of the free geoip websites
  2. ..which will tell you where they THINK it's coming from, since it can be spoofed from anywhere.
  3. And by actually READING THE LINE in the file, it tells you they're trying to access the login.php page, doesn't it?
  4. You tell us; did they log in to whatever that page logs folks in to?
Being 'very new' is fine, but you should really start out by thinking about what you're asking.
 
Old 06-25-2018, 04:37 PM   #7
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,058
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by LEON71 View Post
  1. Who is accessing the site?
  2. From which country/city?
  3. What is he trying to do?
  4. Did he succeed? do you think it is a malicious or normal visit?
94.198.4.42 client source IP, this one is Russia
31/May/2012:03:55:34 +0000] - UTC timestamp
"GET" - Verb
/admin/banner_manager.php/login.php HTTP/1.1" 404 9185 " - Requested URI and they failed with a 404 - Not found.
9185 - bytes sent
"Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16Flock/2.5.6"- Useragent string, usually A PACK OF LIES.

I'd lockdown that "admin": URL using either .htaccess or the site's apache conf file (preferred method)
 
Old 06-25-2018, 05:16 PM   #8
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 1,230

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Habitual,
Nice of you to do their homework for them

A question/comment about
Quote:
I'd lockdown that "admin": URL using either .htaccess or the site's apache conf file (preferred method)
You're presuming that
Code:
/admin/
is a legitimate path on the site. If it doesn't exist, it'd be a challenge to lock it down, and unnecessary, IMO

I get hundreds, nay thousands (2838* yesterday), of attempts to GET non-existent files on my web server daily. The requests consume bandwidth (< 50 bytes each), of course, as does the return of the 404 Not Found page (~240 bytes), but they are otherwise harmless.
Yes?

Of course, if there really were a
Code:
/admin/banner_manager.php/login.php
file, then, yes, it should somehow have access restricted...but then, of course, it wouldn't be throwing a 404 error.

*1400 (so, 1/2) of those were requests for apple-touch-icon*png files, which are, I believe sent by browsers on iPhones and iPads...I've given up worrying about them.
 
Old 06-25-2018, 08:40 PM   #9
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,058
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
Habitual,
Nice of you to do their homework for them

A question/comment about
You're presuming that
Code:
/admin/
is a legitimate path on the site. If it doesn't exist, it'd be a challenge to lock it down, and unnecessary, IMO
I assumed Turdpress.
But you're correct. Scanning for /admin/ is low hanging fruit.

It's not like he learned it. He won't be able to remember it when they "need to" later as a result.
404s can be ignored.

So, hear ye, hear ye,
http://httpd.apache.org/docs/current/logs.html#combined

Last edited by Habitual; 06-25-2018 at 08:41 PM.
 
1 members found this post helpful.
  


Reply

Tags
apache authentication


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Steps needed to set up a web server Apache in Ubuntu desktop papakota Linux - Networking 1 06-27-2015 06:49 PM
web server advice needed rbees Linux - Server 9 07-09-2009 04:44 PM
web file viewer for apache based web server? zerobane Linux - Server 8 03-11-2009 05:43 AM
Apache web server load balance, suggestions needed. cooljai Linux - Server 1 02-27-2008 10:10 AM
setting up password protected web forms on an apache web server AZDAVE Linux - Security 3 07-07-2004 12:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration