Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I'm running a small ecommerce webserver on a debian linux. I'm constantly watching the apache logs using a command like: tail -f /var/log/apache/*.log | grep --line-buffered -v "[myip]" (the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2009
    Posts
    1

    Angry Have my webserver been compromised?


    Hi,

    I'm running a small ecommerce webserver on a debian linux. I'm constantly watching the apache logs using a command like:
    tail -f /var/log/apache/*.log | grep --line-buffered -v "[myip]"

    (the grep is so I don't see myself navigating on the server).

    I just saw something very disturbing in the log :

    75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot [FILE LIST OF MY /home/admin] please read [some url i can't post because i'm new] ***"
    75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot [FILE LIST OF MY /home/admin] please read [some url i can't post because i'm new] ***"


    On my tail log, the [FILE LIST OF MY /home/admin] I printed here was a complete 'ls' of my /home/admin directory!
    I precise that the webserver root is somewhere else, in another /home subdirectory.

    There is something even more strange. The [FILE LIST] only appears on the tail on my terminal. I tried a
    grep "75.101.250.129" /var/log/apache2/access.log
    And here is what was recorded in the log:

    /var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot *** please read [some url i can't post because i'm new] ***"
    /var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot *** please read [some url i can't post because i'm new] ***"


    How is it possible that the lines differ? How could the attacker print the file list of another subdirectory? Can the attacker have had access to anything on my server?

    I'm really worried...

    Thanks,
    Strelok

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    The taptubot is a WebCrawler for: taptu.com
    the 301 and the 200 are HTTP "Error" Codes
    From Pedia:
    200 OK
    Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.[2]
    301 Moved Permanently
    This and all future requests should be directed to the given URI.[2]
    If that bot can search through your home folder you should get a SourceCode/Server Audit. And QUICKLY remove the IP of your server from the forums before somebody will mess about with it.

    I am happy to help you with this. Contact me on my email (robin [@] codeinject.org)

    Cheers,
    Robin
    New Users, please read this..
    Google first, then ask..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •