Apache hacker?

[ejdbroker]

Hello all...

On a SuSe box and trolling the mail logs of Apache 2. One of our biggest hits is something that perplexes me:

24.46.54.144 - - [14/Feb/2006:12:28:59 -0500] "GET http://5=www.mydomain.net/guestbook/...over/index.php HTTP/1.0" 404 4155 "-" "akp niqfhmf0bjd opgf mddpeayotavpaotq"
24.46.54.144 - - [14/Feb/2006:12:28:59 -0500] "GET http://5=www.mydomain.net/guestbook/...ches/index.php HTTP/1.0" 200 9259 "-" "yoyhMdgsytimtdyqfhlsspfqss"
24.46.54.144 - - [14/Feb/2006:12:28:59 -0500] "GET http://5=www.mydomain.net/guestbook/...live/index.php HTTP/1.0" 200 10075 "-" "qpsf4lbuetpy4xtxsxbixfuOiofg"
24.46.54.144 - - [14/Feb/2006:12:29:00 -0500] "GET http://5=www.mydomain.net/guestbook/...../-/index.php HTTP/1.0" 404 4155 "-" "xqlsut7hrmihpbw uesoawvpfmm"

What exactly is this IP trying to do? It hasnt reappeared since the 14th, but I would like to at least know what's going on. As you can see the path it's trying changes constantly as well as the referrer, which is gibberish. Anyone ever seen this?

[farslayer]

It's probably a script or worm looking for a php page it can exploit...

for instance..
http://www.theregister.co.uk/2006/02/20/linux_worm/

[kiran ky]

Haiii, when i had seen ur post i was much interested on whats happening. I dont understand where u had seen messages whether in log files. I dont have any problem currently but i was interested to know so that i can check it out. since we are having an web server and i have to maintain its security.
Please help me and even post what u had done to come out of it.

[muha]

@kiran ky: i don't understand what you are asking but ...
To check your errorlog try (as root):

Code:

httpd2 -V

This shows you where the errorlog is located. Also i think ejdbroker was posting bits from the accesslog.
On my machine the errorlog and accesslog are in the same folder: /var/log/apache2/

@kiran ky: can you put your distribution in your profile (in this forum) so we can see what you are using, thanks