On Fri, Dec 21, 2012 at 10:49:52AM +0000, steve-ALUG@hst.me.uk wrote:
On 21/12/12 10:09, Chris Green wrote:
I am getting this in logwatch every day:-
[] A total of 1 sites probed the server 178.63.53.21
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200[]
Any ideas as to what that "... probed the server" bit means? (I know the "Requests with error response codes" bit is unimportant).
178.63.53.21 is io.iwmnetwork.com which doesn't seem to be anything/anyone particularly nasty though of course it could be spoofed or used maliciously.
As I understand it (I could be wrong!)
OK. Logwatch looks at various log files on your system and looks for things it thinks are important. Logwatch has found something in your webserver log that it thinks is important. Your webserver thinks it's important too - it suspects someone is maliciously probing your website. I would look at your webserver log (and/or access.log) and see if anyone is trying to probe/hack it.
This is the relevant entry in the apache2 access.log:-
178.63.53.21 - - [21/Dec/2012:11:36:46 +0000] "POST /svox/wp-login.php HTTP/1.1" 200 1912 "http://zbmc.eu/svox/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
There are in fact *lots* of near identical entries with the only difference being that they're from different IP addresses, so I don't quite understand why only one IP is reported by logwatch.
I suspect that they're attempts to hack the WordPress site at that URL, they don't seem to have succeeded, I can't see any corrupt pages. Anyway the site is a development one rather than a published one.
I guess it *could* be a buffer overflow exploit, I'll have to check that out.