I am getting this in logwatch every day:-
--------------------- httpd Begin ------------------------
A total of 1 sites probed the server 178.63.53.21
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200
Requests with error response codes 404 Not Found /robots.txt: 7 Time(s) /urchin.js: 4 Time(s) /appConf.htm: 1 Time(s)
---------------------- httpd End -------------------------
Any ideas as to what that "... probed the server" bit means? (I know the "Requests with error response codes" bit is unimportant).
178.63.53.21 is io.iwmnetwork.com which doesn't seem to be anything/anyone particularly nasty though of course it could be spoofed or used maliciously.
On 21/12/12 10:09, Chris Green wrote:
I am getting this in logwatch every day:-
[] A total of 1 sites probed the server 178.63.53.21
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200[]
Any ideas as to what that "... probed the server" bit means? (I know the "Requests with error response codes" bit is unimportant).
178.63.53.21 is io.iwmnetwork.com which doesn't seem to be anything/anyone particularly nasty though of course it could be spoofed or used maliciously.
As I understand it (I could be wrong!)
OK. Logwatch looks at various log files on your system and looks for things it thinks are important. Logwatch has found something in your webserver log that it thinks is important. Your webserver thinks it's important too - it suspects someone is maliciously probing your website. I would look at your webserver log (and/or access.log) and see if anyone is trying to probe/hack it. If it's due to a malicious URL, try that URL yourself and see if you can get any access (see an example of someone trying to work out what's going on in this thread https://www.centos.org/modules/newbb/viewtopic.php?topic_id=34823 ) If there is evidence (or perhaps even if there isn't), I'd consider if there is anything you can or should do to tighten up your system's defences.
This thread mentions apache security tips and modsecurity.org for checking intrusion detection. It might be worth a look. http://nixcraft.com/linux-software/179-logwatch-httpd.html
This thread http://www.linuxformat.com/forums/viewtopic.php?p=89596 mentions using fail2ban to block repeated malicious website access attempts. It might be worth a look too.
Good luck! Steve
On Fri, Dec 21, 2012 at 10:49:52AM +0000, steve-ALUG@hst.me.uk wrote:
On 21/12/12 10:09, Chris Green wrote:
I am getting this in logwatch every day:-
[] A total of 1 sites probed the server 178.63.53.21
A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
null HTTP Response 200[]
Any ideas as to what that "... probed the server" bit means? (I know the "Requests with error response codes" bit is unimportant).
178.63.53.21 is io.iwmnetwork.com which doesn't seem to be anything/anyone particularly nasty though of course it could be spoofed or used maliciously.
As I understand it (I could be wrong!)
OK. Logwatch looks at various log files on your system and looks for things it thinks are important. Logwatch has found something in your webserver log that it thinks is important. Your webserver thinks it's important too - it suspects someone is maliciously probing your website. I would look at your webserver log (and/or access.log) and see if anyone is trying to probe/hack it.
This is the relevant entry in the apache2 access.log:-
178.63.53.21 - - [21/Dec/2012:11:36:46 +0000] "POST /svox/wp-login.php HTTP/1.1" 200 1912 "http://zbmc.eu/svox/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
There are in fact *lots* of near identical entries with the only difference being that they're from different IP addresses, so I don't quite understand why only one IP is reported by logwatch.
I suspect that they're attempts to hack the WordPress site at that URL, they don't seem to have succeeded, I can't see any corrupt pages. Anyway the site is a development one rather than a published one.
I guess it *could* be a buffer overflow exploit, I'll have to check that out.
On 21/12/12 15:32, Chris Green wrote:
This is the relevant entry in the apache2 access.log:-
178.63.53.21 - - [21/Dec/2012:11:36:46 +0000] "POST /svox/wp-login.php HTTP/1.1" 200 1912 "http://zbmc.eu/svox/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"There are in fact *lots* of near identical entries with the only difference being that they're from different IP addresses, so I don't quite understand why only one IP is reported by logwatch.
I don't know why that would happen either, unless that address tried twice perhaps?
I suspect that they're attempts to hack the WordPress site at that URL, they don't seem to have succeeded, I can't see any corrupt pages. Anyway the site is a development one rather than a published one.
Silly question - does it need to be accessible to the outside world if it's a development website? If not, perhaps hide it behind a firewall until it's ready?
I guess it *could* be a buffer overflow exploit, I'll have to check that out.
Yes, and check you webserver is up-to-date with all the software updates, inc Wordpress and Apache ones, and you research all the things you can do to "Harden" Wordpress and Apache.
Presumably you've got it all firewalled too and you've tried something like Shieldsup at grc.com to check that there are no unexpectedly open ports?
HTH Steve
On Fri, Dec 21, 2012 at 04:56:39PM +0000, steve-ALUG@hst.me.uk wrote:
twice perhaps?
I suspect that they're attempts to hack the WordPress site at that URL, they don't seem to have succeeded, I can't see any corrupt pages. Anyway the site is a development one rather than a published one.
Silly question - does it need to be accessible to the outside world if it's a development website? If not, perhaps hide it behind a firewall until it's ready?
It's being developed by a couple of other people from 'outside', I could I suppose limit the accessibility but I'm not sure that it's worth the effort really.
I guess it *could* be a buffer overflow exploit, I'll have to check that out.
Yes, and check you webserver is up-to-date with all the software updates, inc Wordpress and Apache ones, and you research all the things you can do to "Harden" Wordpress and Apache.
Presumably you've got it all firewalled too and you've tried something like Shieldsup at grc.com to check that there are no unexpectedly open ports?
Yes, everything is pretty well tied down, and everything is very well backed up with care taken that a break-in won't be able to corrupt the backups as well.
-
Chris Green -
steve-ALUG@hst.me.uk