Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

apache security newbie

From: voyager123bg () gmail com
Date: 5 Jun 2005 21:39:46 -0000
Hello out there, I am new to apache world (I've been running home server for about 2 months), and recently did a 
logcheck
Here are some strange results: (access_log)
213.240.2.91 - - [07/May/2005:03:12:06 +0300] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 327
84.150.8.164 - - [07/May/2005:04:44:38 +0300] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 327
(I guess this doesn't concern me, since I use linux :))
213.240.62.9 - - [03/Jun/2005:22:44:51 +0300] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9...... several screens with bullshits 
(buffer overflow?)
68.50.20.116 - - [05/Jun/2005:06:48:24 +0300] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 304
68.50.20.116 - - [05/Jun/2005:06:48:27 +0300] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 304
(ofcourse it would return 404 - my cgi-bin is empty)
67.161.103.40 - - [05/Jun/2005:09:47:50 +0300] "GET http://proxyking.servehttp.com:8080/pk/service?service=Echo 
HTTP/1.0" 404 296      (wtf is this? someone trying to use my webserver as proxy?)
80.246.2.154 - - [05/Jun/2005:17:21:54 +0300] "\x15>6\xf4\x05\x89C\x03\x8e\xf6\xca\x0c\xbaF\x06\x88" 400 -
-- last line looks like someone is trying to exploit some vulnerability in apache... or i am wrong?
I've also seen numerous attempts to login thru ssh to the same box, fortunately unsucsessful. Guess it is the kidies 
work, for the traces in logs were too many, and too obvious, and unsuccessful.
However, I did what i had to (or i think so :)) - I scanned the machine from the internet, it is clean (no "unknown" 
ports were open). Since i am new to computer security i would like to recieve some advices on what are the best 
practicies in the area (how often to look in log files, for ex.). What good logrotating programs are there, and is out 
there some (good) introduction to LIDS, and where could i read how to secure my desktop maximum w/o giving the 
usability of the system. Oh, and not last... how do we figure out whether our host is compromised? (I mean...  is 
regular logchecking enough?)
Thanks for the help in advance.
Nik.
Previous By Date Next
Previous By Thread Next

Current thread: