CentOS - Jul 2008 - semi OT: logwatch results

Semi Off Topic

My searching hasn't found what I consider superior info, and we are
wondering from others experience on this list...

In the logwatch results we all see the info below on almost a daily basis

I have taken the liberty of combining logwatch results from centos 4 and 5
machines for extra info and future searchability

-----
Centos 4
-----

--------------------- httpd Begin ------------------------

GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response code(s)
404 1 responses

GET http://thecric.free.fr/AZenv/azenv.php HTTP/1.1 with response code(s)
404 1 responses

-----
Centos 5
-----

--------------------- httpd Begin ------------------------ 

 Requests with error response codes

       http://scifi.pages.at/myproxies/azenv.php: 2 Time(s)
       http://thecric.free.fr/AZenv/azenv.php: 2 Time(s)

  GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response
code(s) 404 3 responses

  GET http://thecric.free.fr/AZenv/azenv.php: 2 Time(s) HTTP/1.1 with
response code(s) 404 3 responses


Is it like people are setting up servers to do advertising in our logs while
looking for some vulnerabilities?

Thanks in advance for your insight...  :-)

 - rh

We've been seeing the same type of entries in our Web server logs for at
least a couple months now and not just a few entires.  It isn't just
`azenv.php', but references to other PHP files that do not exist on our
systems.  They've hit some of our servers so hard I figured it must be some
kind of attempt to break in or a weird kind of DOS attack.

-- 

  Brent L. Bates (UNIX Sys. Admin.)
  M.S. 912				Phone:(757) 865-1400, x204
  NASA Langley Research Center	  	  FAX:(757) 865-8177
  Hampton, Virginia  23681-0001
  Email: B.L.BATES at larc.nasa.gov	http://www.vigyan.com/~blbates/

On Fri, Jul 18, 2008 at 1:13 PM, Robert - elists <lists07 at abbacomm.net>
wrote:
> Semi Off Topic
>
> My searching hasn't found what I consider superior info, and we are
> wondering from others experience on this list...
>
> In the logwatch results we all see the info below on almost a daily basis
>
> I have taken the liberty of combining logwatch results from centos 4 and 5
> machines for extra info and future searchability
>
> -----
> Centos 4
> -----
>
> --------------------- httpd Begin ------------------------
>
> GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response
code(s)
> 404 1 responses
This means someone is trying to use your web server as an open proxy.
The good news is that you have it configured the right way and you
give a 404 response (page does not exist).


-- 
Marcelo

"?No ser? acaso que ?sta vida moderna est? teniendo m?s de moderna que
de vida?" (Mafalda)

Robert - elists wrote:
> GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1 with response
code(s)
> 404 1 responses
I installed fail2ban from rpmforge and created a filter that bans these 
type of things.

Here is my novice attempt at the failregex <HOST> - - \[.*\] \"GET
.*(azenv\.php|adxmlrpc\.php|xmlrpc\.php).*"

-- 
Sincerely,
John Thomas