Re: LogWatch

From: Gene Heskett (gene.heskett_at_verizon.net)
Date: 07/21/04

  • Next message: Timothy Payne: "Can't find kdeinit" 
    To: fedora-list@redhat.com
Date: Wed, 21 Jul 2004 09:10:26 -0400

    On Wednesday 21 July 2004 05:23, John Morrison wrote:
    >Hi,
    >Looking at the root user mail I noticed the following appears
    > frequently in the logfiles:
    >
    > --------------------- httpd Begin ------------------------
    >
    >A total of 2 sites probed the server
    > 81.51.104.14
    > 81.10.211.182
    >
    >A total of 2 unidentified 'other' records logged
    > GET /sumthin HTTP/1.0 with response code(s) 404
    > SEARCH
    >/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
    >1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
    >2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
    >1\x02\xb1\x02\xb1\x02\xb1\x
    >
    >The 'SEARCH' line goes on and on for pages (only shown a portion of
    > it for brevity). I have never seen this before and would like to
    > know what is happening and should i block the sites that the probe
    > comes from. The web server is only for my personal development.
    >
    >Cheers,
    >
    >John
    >--

    Someone is trying a known to work buffer overflow attack on your
    machine. I'd highly recommend getting both tcpwrapper and iptables
    going, possibly even with portsentry do an automatic rule
    installation on the detection of a scan.

    I'd also get, install and run the latest 'chkrootkit'. Its designed
    to recognize the signatures of most of the rootkits extant.

    As always, google is your friend. 

    -- 
Cheers, Gene
There are 4 boxes to be used in defense of liberty. 
Soap, ballot, jury, and ammo.
Please use in that order, starting now.  -Ed Howdershelt, Author
Additions to this message made by Gene Heskett are Copyright 2004, 
Maurice E. Heskett, all rights reserved.
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Timothy Payne: "Can't find kdeinit"

    Relevant Pages

    • Re: MS Security Update broke Web Servew 2003 Anonymous Connections
      ... Check that your custom Anonymous username/password stored in the metabase ... give the actual LOG entries on the web server for those requests (I ... Not on a Domain or Active Directory; installation was as default ...
      (microsoft.public.inetserver.iis)
    • jsp, servlets, and perl under one web server ?
      ... I originally installed "indigoperl" so I could debug my perl scripts on ... installation of the apache web server. ... I installed apache "tomcat" server so I can debug jsp ... Can I easily run just ONE web server that will serve all of jsp, ...
      (comp.lang.java.programmer)
    • Re: Add Company Logo to companyweb
      ... Rob ... >>>I was able to modify the code on a local installation, ... >>>installation I am attempting to update now initially used FrontPage to ... >>>the web server extensions directory or subdirectories. ...
      (microsoft.public.sharepoint.windowsservices)
    • RE: Changing a .local name to a .com name
      ... Your externally visible domain name is set within the Connection wizard CEICW. ... After installation my domain name became, for example, ... > host my own web server and email server so I am assuming that I must change ...
      (microsoft.public.windows.server.sbs)
    • Re: iptables rules
      ... On Friday 02 July 2004 03:18, Andrea Marin wrote: ... >I have create a rules for my firewall: ... >When I try to connect to my web server the connections is refuse, ... Additions to this message made by Gene Heskett are Copyright 2004, ...
      (Fedora)