Nginx and Apache wierd logs and ip's

Discussion in 'Nginx' started by ASTRAPI, Sep 23, 2011.

0
  1. #1
    Hello

    I am using nginx plugin in front of Apache and today i found on nginx access.log:


    151.1.182.163 - - [18/Sep/2011:08:15:28 +0300] "GET / HTTP/1.0" 200 151 "-" "-"
    151.1.182.163 - - [18/Sep/2011:17:50:49 +0300] "GET / HTTP/1.0" 200 151 "-" "-"
    69.162.74.37 - - [18/Sep/2011:18:56:22 +0300] "GET /w00tw00t.at.ISC.SANS.test0: ) HTTP/1.1" 400 166 "-" "-"
    62.141.46.141 - - [19/Sep/2011:06:18:21 +0300] "GET /w00tw00t.at.ISC.SANS.test0: ) HTTP/1.1" 400 166 "-" "-"
    24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    24.73.227.230 - - [19/Sep/2011:11:41:35 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    46.163.65.80 - - [19/Sep/2011:21:35:12 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    94.102.209.211 - - [20/Sep/2011:17:00:21 +0300] "GET /w00tw00t.at.ISC.SANS.DFind: ) HTTP/1.1" 400 166 "-" "-"
    217.170.69.22 - - [21/Sep/2011:10:03:49 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-"
    217.170.69.22 - - [21/Sep/2011:10:03:50 +0300] "GET /test.w00t:) HTTP/1.1" 400 166 "-" "-"


    and for apache access_log:


    127.0.0.1 - - [23/Sep/2011:18:17:24 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:17:58 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:18:15 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:18:36 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:19:08 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:19:28 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:19:36 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:20:00 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:20:01 +0300] "GET /whm-server-status HTTP/1.0" 499 0 "-" "-"
    127.0.0.1 - - [23/Sep/2011:18:21:11 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:21:16 +0300] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [23/Sep/2011:18:21:22 +0300] "GET / HTTP/1.0" 200 111



    Any ideas what are those and what i can do?

    Thank you
     
    ASTRAPI, Sep 23, 2011 IP
  2. Orangu

    Orangu Active Member

    Messages:
    571
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    60
    #2
    The w00tw00t logs are from a vulnerability scanner.
    If using linux you can block them adding this rule to your iptables (change dport acordingly to match your servers port in case it's not 80):

    iptables -I INPUT -d your_server_ip_goes_here -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
     
    Orangu, Sep 24, 2011 IP