Find the answer to your Linux question:
Results 1 to 4 of 4
Hi I set up an server some time ago just for learning and sharing some vacation pictures with friends. I started reading the access_log-files just now and there is something ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! djap's Avatar
    Join Date
    Jul 2005
    Location
    Beijing
    Posts
    99

    seeing some strange reguests in apache's "access_log" file


    Hi

    I set up an server some time ago just for learning and sharing some vacation pictures with friends. I started reading the access_log-files just now and there is something that concerns me a little. When some one views the pictures I will get an entry something like
    Code:
    xxx.xxx.xxx.xxx - - [02/Sep/2007:00:32:43 +0300] "GET /shang_hai/thumbs/ssl23362.jpeg HTTP/1.0" 200 47453
    in the file. I understand the first part being the IP where the request came from, second the time when it came then the request, after request server's response and I haven't figured out that last number yet...

    but recently I've started seeing entries like
    Code:
    xxx.xxx.xxx.xxx - - [02/Sep/2007:08:27:10 +0300] "^\x1b\x8d\xeaE\x89\x05iY\x92\x88\xbe\xad\xde\xfaY\xbc\xff\xd6g]\xbc\xa6\x9dc/\xef\x8c\x9f\xfc\xf1^\xcf/6\xdd\xe1\xf5\xc4\xd0\x9e\xf1\x96\xfaV" 501 -
    from IP-addresses that are not any of my friends for sure.
    Should I be conserned about this?

  2. #2
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    lol, it's late, and for some reason that made me laugh. Basically, that's shellcode. It's an indication that someone is trying to exploit your webserver. I would make sure your system is all up to date then maybe add the ip/hostname to hosts.deny.

  3. #3
    Just Joined! djap's Avatar
    Join Date
    Jul 2005
    Location
    Beijing
    Posts
    99
    Quote Originally Posted by likwid View Post
    lol, it's late, and for some reason that made me laugh. Basically, that's shellcode. It's an indication that someone is trying to exploit your webserver. I would make sure your system is all up to date then maybe add the ip/hostname to hosts.deny.
    Hey thanks

    That's what I was suspecting. I suppose adding anything to hosts.deny wouldn't do too much since all these seem to come from different IPs from different ISPs, even different countries... I got 11 new IP's last night alone.
    So all I can do is just keep everything up to date and observe?

    My server gets 10 times more exploit attempts than usual visitors

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    There's a service that can automatically add hosts to hosts.deny or iptables based on certain criteria, I forget what it's called, but it might be worth looking into.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •