On 21/12/12 10:09, Chris Green wrote:
I am getting this in logwatch every day:-
[] A total of 1 sites probed the server 178.63.53.21
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200[]
Any ideas as to what that "... probed the server" bit means? (I know the "Requests with error response codes" bit is unimportant).
178.63.53.21 is io.iwmnetwork.com which doesn't seem to be anything/anyone particularly nasty though of course it could be spoofed or used maliciously.
As I understand it (I could be wrong!)
OK. Logwatch looks at various log files on your system and looks for things it thinks are important. Logwatch has found something in your webserver log that it thinks is important. Your webserver thinks it's important too - it suspects someone is maliciously probing your website. I would look at your webserver log (and/or access.log) and see if anyone is trying to probe/hack it. If it's due to a malicious URL, try that URL yourself and see if you can get any access (see an example of someone trying to work out what's going on in this thread https://www.centos.org/modules/newbb/viewtopic.php?topic_id=34823 ) If there is evidence (or perhaps even if there isn't), I'd consider if there is anything you can or should do to tighten up your system's defences.
This thread mentions apache security tips and modsecurity.org for checking intrusion detection. It might be worth a look. http://nixcraft.com/linux-software/179-logwatch-httpd.html
This thread http://www.linuxformat.com/forums/viewtopic.php?p=89596 mentions using fail2ban to block repeated malicious website access attempts. It might be worth a look too.
Good luck! Steve