Find the answer to your Linux question:
Results 1 to 4 of 4
Hi I set up an server some time ago just for learning and sharing some vacation pictures with friends. I started reading the access_log-files just now and there is something ...
  1. 09-02-2007 #1
    djap
    djap is offline
    Just Joined! djap's Avatar
    Join Date
    Jul 2005
    Location
    Not so sure anymore...
    Posts
    97

    seeing some strange reguests in apache's "access_log" file



    Hi

    I set up an server some time ago just for learning and sharing some vacation pictures with friends. I started reading the access_log-files just now and there is something that concerns me a little. When some one views the pictures I will get an entry something like
    Code:
    xxx.xxx.xxx.xxx - - [02/Sep/2007:00:32:43 +0300] "GET /shang_hai/thumbs/ssl23362.jpeg HTTP/1.0" 200 47453
    in the file. I understand the first part being the IP where the request came from, second the time when it came then the request, after request server's response and I haven't figured out that last number yet...

    but recently I've started seeing entries like
    Code:
    xxx.xxx.xxx.xxx - - [02/Sep/2007:08:27:10 +0300] "^\x1b\x8d\xeaE\x89\x05iY\x92\x88\xbe\xad\xde\xfaY\xbc\xff\xd6g]\xbc\xa6\x9dc/\xef\x8c\x9f\xfc\xf1^\xcf/6\xdd\xe1\xf5\xc4\xd0\x9e\xf1\x96\xfaV" 501 -
    from IP-addresses that are not any of my friends for sure.
    Should I be conserned about this?
    Reply With Quote Reply With Quote
  2. 09-02-2007 #2
    likwid
    likwid is offline
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    lol, it's late, and for some reason that made me laugh. Basically, that's shellcode. It's an indication that someone is trying to exploit your webserver. I would make sure your system is all up to date then maybe add the ip/hostname to hosts.deny.
    Reply With Quote Reply With Quote
  3. 09-03-2007 #3
    djap
    djap is offline
    Just Joined! djap's Avatar
    Join Date
    Jul 2005
    Location
    Not so sure anymore...
    Posts
    97
    Quote Originally Posted by likwid View Post
    lol, it's late, and for some reason that made me laugh. Basically, that's shellcode. It's an indication that someone is trying to exploit your webserver. I would make sure your system is all up to date then maybe add the ip/hostname to hosts.deny.
    Hey thanks

    That's what I was suspecting. I suppose adding anything to hosts.deny wouldn't do too much since all these seem to come from different IPs from different ISPs, even different countries... I got 11 new IP's last night alone.
    So all I can do is just keep everything up to date and observe?

    My server gets 10 times more exploit attempts than usual visitors
    Reply With Quote Reply With Quote
  4. 09-03-2007 #4
    likwid
    likwid is offline
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    There's a service that can automatically add hosts to hosts.deny or iptables based on certain criteria, I forget what it's called, but it might be worth looking into.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules