Semi Off Topic
My searching hasn't found what I consider superior info, and we are
wondering from others experience on this list...
In the logwatch results we all see the info below on almost a daily basis
I have taken the liberty of combining logwatch results from centos 4 and 5
machines for extra info and future searchability
-----
Centos 4
-----
--------------------- httpd Begin ------------------------
GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s)
404 1 responses
GET http://thecric.free.fr/AZenv/azenv.php HTTP/1.1 with response code(s)
404 1 responses
-----
Centos 5
-----
--------------------- httpd Begin ------------------------
Requests with error response codes
http://scifi.pages.at/myproxies/azenv.php: 2 Time(s)
http://thecric.free.fr/AZenv/azenv.php: 2 Time(s)
GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response
code(s) 404 3 responses
GET http://thecric.free.fr/AZenv/azenv.php: 2 Time(s) HTTP/1.1 with
response code(s) 404 3 responses
Is it like people are setting up servers to do advertising in our logs while
looking for some vulnerabilities?
Thanks in advance for your insight... :-)
- rh
We've been seeing the same type of entries in our Web server logs for at least a couple months now and not just a few entires. It isn't just `azenv.php', but references to other PHP files that do not exist on our systems. They've hit some of our servers so hard I figured it must be some kind of attempt to break in or a weird kind of DOS attack. -- Brent L. Bates (UNIX Sys. Admin.) M.S. 912 Phone:(757) 865-1400, x204 NASA Langley Research Center FAX:(757) 865-8177 Hampton, Virginia 23681-0001 Email: B.L.BATES at larc.nasa.gov http://www.vigyan.com/~blbates/
On Fri, Jul 18, 2008 at 1:13 PM, Robert - elists <lists07 at abbacomm.net> wrote:> Semi Off Topic > > My searching hasn't found what I consider superior info, and we are > wondering from others experience on this list... > > In the logwatch results we all see the info below on almost a daily basis > > I have taken the liberty of combining logwatch results from centos 4 and 5 > machines for extra info and future searchability > > ----- > Centos 4 > ----- > > --------------------- httpd Begin ------------------------ > > GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s) > 404 1 responsesThis means someone is trying to use your web server as an open proxy. The good news is that you have it configured the right way and you give a 404 response (page does not exist). -- Marcelo "?No ser? acaso que ?sta vida moderna est? teniendo m?s de moderna que de vida?" (Mafalda)
Robert - elists wrote:> GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s) > 404 1 responsesI installed fail2ban from rpmforge and created a filter that bans these type of things. Here is my novice attempt at the failregex <HOST> - - \[.*\] \"GET .*(azenv\.php|adxmlrpc\.php|xmlrpc\.php).*" -- Sincerely, John Thomas