Thanks Niels. Any suggestion on how I could find the particular lines in the log file? I imagine a grep command might be useful, or maybe there's another tool for analysing the logs?
Shawn (btw - I'll make note to change my default email account later tonight - My messages shouldn't be going out from the "spam" account) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Niels Voll Sent: Monday, March 22, 2004 12:38 PM To: CLUG General Subject: Re: [clug-talk] Am I being attacked? Hi Shawn, I'd be curious to see the actual detailed Apache log entries. For example, what's exactly in the user agent fields, and what's in the referer fields (if anything). Is there a large commonality? Anything odd about those? In the past, I've seen attacks on my server most often one of 2 major varieties: * very long URL's trying to go after old MS IIS vulnerabilities * SQL injection attacks through the referer or user agent fields ...Niels spam wrote: >Hi all. > >In the past week, I reset my Apache logs and got Analog setup to run every >hour. I'm noticing a very large number of page requests from Taiwan and >Japan (well, maybe not VERY large, but definetly much more than I would >expect). Analog also indicates that in the past week I've had 500+ unique >visitors. Before I took the site down for a server rebuild, I was hovering >around 700 unique visitors over a 6 month period - 500 in less than a week >seems too high. > >You can see the logs at http://logs.open2space.com/open2space/index.html. > >Now, seeing as the www.open2space.com website was effectively down for the >past couple of months, I was very surprised to see 200+ page requests from >external sources within the first couple of hours of the site being back up. >The site has never received too many hits. I have not announced publicly >that the site was up and running again yet either - though a few coworkers >are aware it is. > >It seems the requests are primarily for the root web page. Now, to add to >the plot, I changed the root directory for open2space.com via a virtual host >setting. Prior to this I happened to find a "B2" folder under the web root >that was empty. I don't remember creating this folder, but might have. >Regardless, it's been deleted. I've also run chkrootkit on the box with >nothing suspicious found. > >So, I'm curious to know if the traffic is legitimate, or if maybe I need to >tighten down my server a little more - I'm reasonably confident it's fairly >secure as is. Anyone have any thoughts? Or are there any command line tools >I could use to glean more info from my logs? > >Thanks muchly for any feedback. > >Shawn > > > > >_______________________________________________ >clug-talk mailing list >[EMAIL PROTECTED] >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
