Suspicious Apache LOGS -- Intrusion Detected ?

Discussion in 'Apache' started by jacek5, Jun 27, 2008.

0
  1. #1
    Hi, I have very strange logs in apache. This looks like redirection or connection to other web sites.

    82.201.222.73 - - [23/Jun/2008:23:26:20 +0100] "OPTIONS * HTTP/1.1" 400 306
    84.13.131.206 - - [22/Jun/2008:23:18:59 +0100] "\xd8Y[\x8b\x19\xc0j\x1dmL\xaa\xb0\x17\xd8\xfb\x03\xc4\xda\xa1\x800s\x8f\xf2y\xc7\x89\xebr\xa6n\xbb\x19\x90\x98\x8a\x042_\xf1\x87\x87M-\xbc\x1a\x03\x1c\x9a;\xe1" 400 306
    210.51.23.7 - - [23/Jun/2008:04:13:00 +0100] "GET http://www.cooleasy.com/cgi-bin/prxjdg.cgi HTTP/1.0" 400 307 ---this is not my web site



    and this is the most suspicous to me :

    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /xampp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /mysqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /php-my-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /admin/phpMyAdmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /sqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /beheer/php/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:31 +0100] "GET /beheer/phpadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /beheer/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /joomla/phpmyadminmain.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /apps/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /beheertools/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /tools/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /tools/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /staff/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /staff/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /test/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /setup/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:32 +0100] "GET /setup/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /uni/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /3rdparty/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /sql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /phpmyadmin1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /phpadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /db/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:33 +0100] "GET /pma1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /pma2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /phpmyadmin3/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /db/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /db/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /PMA/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /frontend/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /frontend/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /dbadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /PMA2006/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /pma2006/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:34 +0100] "GET /sqlmanager/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /mysqlmanager/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /p/m/a/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /PMA2005/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /pma2005/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /phpmanager/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /php-myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /phpmy-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /mysql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /webadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /sqlweb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:35 +0100] "GET /websql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /sample/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /samples/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /samples/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /debug/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /webdb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /mysqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /mysql-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:36 +0100] "GET /php-my-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /administrator/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /online/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /tools/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /lamp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /open/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /service/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /domeinbeheer/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /securecontrolpanel/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /controlpanel/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /lampp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:37 +0100] "GET /admin/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /test/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /administrator/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /online/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /tools/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /tests/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /lamp/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /open/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /service/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /domeinbeheer/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /securecontrolpanel/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /controlpanel/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /lampp/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:38 +0100] "GET /neu/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /neu/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /new/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /new/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /typo3/pma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /lampp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /mysqltool/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /databasepma/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /pmadb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /sqldb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /acp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /admincp/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:39 +0100] "GET /apache/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /htdocs/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /html/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /www/phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /phpmyadmintest/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /pmatest/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/sysadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/sqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/db/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/web/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/pMA/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:40 +0100] "GET /admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/mysql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/webadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/sqlweb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/websql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/webdb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/mysqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/mysql-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/phpmyadmin2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/php-my-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/phpMyAdmin-2.2.3/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:41 +0100] "GET /admin/phpMyAdmin-2.2.6/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.5.1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.5.4/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.5.6/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.0/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.3/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /admin/phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:42 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /db/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /web/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /PMA/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /mysql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /myadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /webadmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /sqlweb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /websql/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:43 +0100] "GET /webdb/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /mysqladmin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /mysql-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /php-my-admin/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:44 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:45 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:45 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:45 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 400 303
    193.138.204.127 - - [19/Jun/2008:02:22:45 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 400 303 ---which is not my web site

    this one

    92.240.68.152 - - [09/Apr/2008:22:26:30 +0100] "CONNECT 195.175.37.70:8080 HTTP/1.0" 405 315

    and this one

    88.250.209.121 - - [29/Apr/2008:13:58:23 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 306

    Can some one me with this logs or any of them.

    Thany you
     
    jacek5, Jun 27, 2008 IP
  2. Trusted Writer

    Trusted Writer Banned

    Messages:
    1,370
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    160
    #2
    My server's log often display weird entries, mostly are from bots trying to retrieve either usernames/passwords, emails, or simply checking script vulnerability or any other security threat.

    They are harmless is directories don't exist in your server, as in example I doubt you can have admin/phpMyAdmin but if you have /phpMyAdmin I would advise aliasing this directory to some other name to avoid a db injection attempt.
     
    Trusted Writer, Jun 28, 2008 IP
  3. GLucas

    GLucas Active Member

    Messages:
    42
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    90
    #3
    That is definitely looking for something. You can setup firewall rules to block people/bots trying so many directories that match certain criteria. I would suggest you simply block this IP on your server firewall or if no root access on your .htaccess
     
    GLucas, Jun 28, 2008 IP
  4. Randombase

    Randombase Peon

    Messages:
    224
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Blocking won't matter. This is clearly an automated tool that checks for existence of certain files that are open to the public, the attacker will probably never come back.
     
    Randombase, Jun 29, 2008 IP
  5. GLucas

    GLucas Active Member

    Messages:
    42
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    90
    #5
    Blocking will definitely matter as he is not using any type of proxy system to change IP's everytime he tries to access something else. Blocking the IP from the server will null route him from the server.
     
    GLucas, Jun 29, 2008 IP
  6. linspire_admin

    linspire_admin Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Install Mod_security and apply a good set of rules. You can block all such attacks
     
    linspire_admin, Jun 29, 2008 IP
  7. Randombase

    Randombase Peon

    Messages:
    224
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Yes, it will work for this single user. My website gets over 200 of these automated attempts daily, if you're not vulnerable, you won't get hacked. It's simple as that.
     
    Randombase, Jun 30, 2008 IP
  8. meep99

    meep99 Peon

    Messages:
    785
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #8
    have to agree here blocking that ip is useless, its scan has been done if its going to come back its going to find the same results ;)


    i think mod_security can do some stuff to help this as someone suggested

    assuming nothing is vuln then you have nothing to worry about
     
    meep99, Jun 30, 2008 IP
  9. hoodvs

    hoodvs Peon

    Messages:
    39
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    mod_security is a webapp firewall that, even with the default set of rules installed, will help you on the majority of these types of scans. If you need help installing it pm me.
     
    hoodvs, Jul 3, 2008 IP
  10. apachehtaccess

    apachehtaccess Guest

    Messages:
    82
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #10
    This is great advice.. I've been using mod_security for over a year now and absolutely recommend it to you as well.
     
    apachehtaccess, Jul 3, 2008 IP