Every few days I see in the logwatch on my Centos-5.5 web-server
what seems like a rather feeble break-in attempt.
Eg today I see
---------------------------
403 Forbidden
/phpMyAdmin/scripts/setup.php: 2 Time(s)
/phpmyadmin/scripts/setup.php: 2 Time(s)
404 Not Found
/PMA2005/scripts/setup.php: 1 Time(s)
/TRAD_files/datestamp.js: 1 Time(s)
...
---------------------------
followed by dozens of similar lines.
As far as I can see, the IP of the person making the attempt
(if there was an attempt) is not given.
I'm not at all sure what if anything I should do about this.
In fact, I'm not clear how one should deal with logwatch entries
in general.
Is there any document giving advice on this?
--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
On Wed, Sep 08, 2010 at 01:33:18PM +0100, Timothy Murphy wrote:> Every few days I see in the logwatch on my Centos-5.5 web-server > what seems like a rather feeble break-in attempt.That is what it is, and since it's so feeble, it's barely helpful to know about it.> In fact, I'm not clear how one should deal with logwatch entries > in general.Sigh and wish there were a better tool, I think. -- Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
> > Every few days I see in the logwatch on my Centos-5.5 web-server whatseems> like a rather feeble break-in attempt. > Eg today I see > --------------------------- > 403 Forbidden > /phpMyAdmin/scripts/setup.php: 2 Time(s) > /phpmyadmin/scripts/setup.php: 2 Time(s) > 404 Not Found > /PMA2005/scripts/setup.php: 1 Time(s) > /TRAD_files/datestamp.js: 1 Time(s) ... > --------------------------- > followed by dozens of similar lines. > > As far as I can see, the IP of the person making the attempt (if there was > an attempt) is not given. > > I'm not at all sure what if anything I should do about this. >Logwatch is just an automated tool that runs a few checks on your log files. The source IP is in your apache log files. If you are concerned, you should check your log files to check for that IP and then run a check on whether that IP appears elsewhere in any of your logfiles. The likelihood is that someone ran a vulnerability scanner against all your available services, logwatch found evidence of that vulnerability scan, and you should check whether any other vulnerabilities were scanned for and perhaps found... To do that you should manually check your log files or use a better tool.
Timothy Murphy wrote:> Every few days I see in the logwatch on my Centos-5.5 web-server > what seems like a rather feeble break-in attempt. > Eg today I see > --------------------------- > 403 Forbidden > /phpMyAdmin/scripts/setup.php: 2 Time(s) > /phpmyadmin/scripts/setup.php: 2 Time(s) > 404 Not Found > /PMA2005/scripts/setup.php: 1 Time(s) > /TRAD_files/datestamp.js: 1 Time(s) > ... > --------------------------- > followed by dozens of similar lines. > > As far as I can see, the IP of the person making the attempt > (if there was an attempt) is not given. > > I'm not at all sure what if anything I should do about this. > > In fact, I'm not clear how one should deal with logwatch entries > in general. > Is there any document giving advice on this?We run fail2ban. It blocks a given IP for so long after so many (3? 5?) failed attempts to break in. It also does a whois on the IP, which is a little more info. mark, wondering if the Chinese Railway is trying again today
From: Timothy Murphy <gayleard at eircom.net>> Every few days I see in the logwatch on my Centos-5.5 web-server > what seems like a rather feeble break-in attempt. > Eg today I seeI get proxy scans and phpmyadmin (and others) vulnerabilities scans everyday... They just get 404s in return... You can check the IPs in apache error_log In the beginning I was reporting them to their ISPs but, with the high numbers of daily scans, I just gave up... Either they are part of a botnet (so clueless users infected pcs), or they are abroad (Asia) and the ISP will just mostly ignore your email... Maybe just make sure your set apache ServerSignature to Off... One annoying "bug" about logwatch is that it does not cope with the lack of year in yum.log dates, so it will happily report packages installs from last years as if it just happened... JD