Re: Apache log .. potential abuse .. help me out
- From: Flash Gordon <spam@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 02 May 2006 10:52:40 +0100
rajeshkodali@xxxxxxxxx wrote:
Hi,
I would like to know what this logs meant.. and are they any potential
hacking attempts .. If this is some hacking or abuse .. can nay one
tell me how to protect form these attacks....
It looks to me like you don't know how to configure Apache to be secure.
4.80.99.100 - - [23/Apr/2006:15:18:21 +0530] "GET
http://proxyking.servehttp.com:8080/...e?service=Echo HTTP/1.0"
200 7454
The 200 near the end is your server saying that the request has succeeded, so if proxyking.servehttp.com is not your domain you are acting as a proxy.
GET /.eBay/ws/ HTTP/1.1
218.166.50.157 - - [25/Apr/2006:00:26:14 +0530] "GET /.ebay/ HTTP/1.0"
200 7411
218.166.49.99 - - [25/Apr/2006:00:26:15 +0530] "GET /.ebay/ HTTP/1.0"
200 7411
63.212.171.193 - - [25/Apr/2006:09:26:40 +0530] "GET /.eBay/ws/
HTTP/1.1" 200 7429
These three were again successful. This suggests to me that your machine has been hacked, a .ebay directory added, and your system is being used for phishing scams. Take it off the internet now. Before putting another server on the internet learn how to lock it down.
62.58.50.81 - - [25/Apr/2006:12:42:30 +0530] "CONNECT 205.231.29.241:25
HTTP/1.0" 200 2765
This is your system accepting a request to connect through to an SMTP (email) server somewhere else allowing you to act as a relay for sending spam. Take the server off the internet now.
62.58.50.81 - - [25/Apr/2006:12:42:33 +0530] "POST
http://205.231.29.241:25/ HTTP/1.0" 200 2864
yakuza.exigo.ch - - [25/Apr/2006:16:38:17 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:38:29 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:39:32 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:49:29 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
yakuza.exigo.ch - - [25/Apr/2006:16:49:36 +0530] "GET
http://www.astalavista.net/v2/?cmd=proxy&act=pt HTTP/1.1" 403 453
The above with the 4xx return codes are harmless because 4xx means your server is rejecting them.
lj601394.inktomisearch.com - - [25/Apr/2006:18:27:09 +0530] "GET
/robots.txt HTTP/1.0" 200 7435
lj601303.inktomisearch.com - - [25/Apr/2006:18:27:12 +0530] "GET
/.eBay/ws/ HTTP/1.0" 200 7429
najya.cit-network.net - - [27/Apr/2006:00:41:48 +0530] "GET
http://nntime.com/235490.htm HTTP/1.1" 200 7435
I seriously suggest that until you know how to read your logs and how to lock down the server so that people cannot abuse it you should not have a server running on the internet.
If, as it looks, you have already been hacked and have a .ebay directory in your web site then you will have to reformat the HD and rebuild the machine from known clean media.
--
Flash Gordon, living in interesting times.
Web site - http://home.flash-gordon.me.uk/
comp.lang.c posting guidelines and intro:
http://clc-wiki.net/wiki/Intro_to_clc
.
- References:
- Apache log .. potential abuse .. help me out
- From: rajeshkodali
- Apache log .. potential abuse .. help me out
- Prev by Date: Re: nmap 4.03 compile failing under hp-ux 11.11
- Next by Date: Re: Apache log .. potential abuse .. help me out
- Previous by thread: Apache log .. potential abuse .. help me out
- Next by thread: Re: Apache log .. potential abuse .. help me out
- Index(es):
Relevant Pages
|
