FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-18-2008, 04:30 PM
"Brent L. Bates"
 
Default semi OT: logwatch results

We've been seeing the same type of entries in our Web server logs for at
least a couple months now and not just a few entires. It isn't just
`azenv.php', but references to other PHP files that do not exist on our
systems. They've hit some of our servers so hard I figured it must be some
kind of attempt to break in or a weird kind of DOS attack.

--

Brent L. Bates (UNIX Sys. Admin.)
M.S. 912 Phone757) 865-1400, x204
NASA Langley Research Center FAX757) 865-8177
Hampton, Virginia 23681-0001
Email: B.L.BATES@larc.nasa.gov http://www.vigyan.com/~blbates/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-19-2008, 01:45 AM
"Marcelo Roccasalva"
 
Default semi OT: logwatch results

On Fri, Jul 18, 2008 at 1:13 PM, Robert - elists <lists07@abbacomm.net> wrote:
> Semi Off Topic
>
> My searching hasn't found what I consider superior info, and we are
> wondering from others experience on this list...
>
> In the logwatch results we all see the info below on almost a daily basis
>
> I have taken the liberty of combining logwatch results from centos 4 and 5
> machines for extra info and future searchability
>
> -----
> Centos 4
> -----
>
> --------------------- httpd Begin ------------------------
>
> GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s)
> 404 1 responses

This means someone is trying to use your web server as an open proxy.
The good news is that you have it configured the right way and you
give a 404 response (page does not exist).


--
Marcelo

"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-19-2008, 02:56 AM
John Thomas
 
Default semi OT: logwatch results

Robert - elists wrote:

GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s)
404 1 responses


I installed fail2ban from rpmforge and created a filter that bans these
type of things.


Here is my novice attempt at the failregex =
<HOST> - - [.*] "GET .*(azenv.php|adxmlrpc.php|xmlrpc.php).*"

--
Sincerely,
John Thomas
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org