I just did a quick review of the logs, and found that there were only a couple of blatent attacks. The rest of the hits seem to be looking for URLs pertaining to my old server (well, that's what most of the 404's are), these will go away over time. It looks like these are mostly valid requests, though I don't know why or how they are hitting the root folder, without also requesting the image or css files. But, at this time I'm satisfied that I'm not really under attack.
Thanks for the support. Shawn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Niels Voll Sent: Monday, March 22, 2004 4:04 PM To: CLUG General Subject: Re: [clug-talk] Am I being attacked? I usually just peruse Apache's access.log file with a regular text editor or "tail" command. If you are ambitious, you can probably import it into a spreadsheet program, since it is a columnar file with double-quotes surrounding the text fields. A typical log entry looks like this (disregard any line-breaking, which may be an artifact of emailing this - there is one line for each hit to your server): 198.161.94.245 - - [22/Mar/2004:10:13:10 -0700] "GET /nvcm/en/index.php?id=29 HTTP/1.1" 200 3039 "http://clug.ca/nuke/modules.php?name=Web_Links&l_op=viewlink&cid=6"; "Mozilla/5.0 Galeon/1.2.7 (X11; Linux i686; U;) Gecko/20030131" The fields are * IP addreess of the request * Date/Time stamp (your server time) * the HTTP command, received by your server - typically a GET or PUT, and the URL requested * HTTP response code (200=OK) * I believe, the next one is the size of the retrieved file * the refering page - if someone requested this page because of a link from another web page, you would see that here - some attacks may try to use this field for buffer overflows or SQL injection trickery; on the other hand, if your hits are increasing, because a popular page linked to you, you can find out from this field. * the requesting browser or robot - attackers often play games with this field similar to the refering page field, and some entires are caused by search engine robots. Search engines will find your site, as long as it has a DNS entry, some may even find it without one. If you are comfortable with, and wish to do so it, send me your Apache access.log-file off-list, and I'll have a quick peek at it, to see, if there is an easy explanation for the increase in traffic.Don't worry, if it's large, my mail server takes rather large attachments without complaints. Kind regards, ...Niels Shawn Grover wrote: >Thanks Niels. > >Any suggestion on how I could find the particular lines in the log file? I imagine a grep command might be useful, or maybe there's another tool for analysing the logs? > >Shawn > >(btw - I'll make note to change my default email account later tonight - My messages shouldn't be going out from the "spam" account) > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >Behalf Of Niels Voll >Sent: Monday, March 22, 2004 12:38 PM >To: CLUG General >Subject: Re: [clug-talk] Am I being attacked? > > >Hi Shawn, > >I'd be curious to see the actual detailed Apache log entries. For >example, what's exactly in the user agent fields, and what's in the >referer fields (if anything). Is there a large commonality? Anything odd >about those? > >In the past, I've seen attacks on my server most often one of 2 major >varieties: > >* very long URL's trying to go after old MS IIS vulnerabilities >* SQL injection attacks through the referer or user agent fields > > >...Niels > > > > > > > > > >spam wrote: > > > >>Hi all. >> >>In the past week, I reset my Apache logs and got Analog setup to run every >>hour. I'm noticing a very large number of page requests from Taiwan and >>Japan (well, maybe not VERY large, but definetly much more than I would >>expect). Analog also indicates that in the past week I've had 500+ unique >>visitors. Before I took the site down for a server rebuild, I was hovering >>around 700 unique visitors over a 6 month period - 500 in less than a week >>seems too high. >> >>You can see the logs at http://logs.open2space.com/open2space/index.html. >> >>Now, seeing as the www.open2space.com website was effectively down for the >>past couple of months, I was very surprised to see 200+ page requests from >>external sources within the first couple of hours of the site being back up. >>The site has never received too many hits. I have not announced publicly >>that the site was up and running again yet either - though a few coworkers >>are aware it is. >> >>It seems the requests are primarily for the root web page. Now, to add to >>the plot, I changed the root directory for open2space.com via a virtual host >>setting. Prior to this I happened to find a "B2" folder under the web root >>that was empty. I don't remember creating this folder, but might have. >>Regardless, it's been deleted. I've also run chkrootkit on the box with >>nothing suspicious found. >> >>So, I'm curious to know if the traffic is legitimate, or if maybe I need to >>tighten down my server a little more - I'm reasonably confident it's fairly >>secure as is. Anyone have any thoughts? Or are there any command line tools >>I could use to glean more info from my logs? >> >>Thanks muchly for any feedback. >> >>Shawn >> >> >> >> >>_______________________________________________ >>clug-talk mailing list >>[EMAIL PROTECTED] >>http://clug.ca/mailman/listinfo/clug-talk_clug.ca >> >> >> >> >> > >_______________________________________________ >clug-talk mailing list >[EMAIL PROTECTED] >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > >_______________________________________________ >clug-talk mailing list >[EMAIL PROTECTED] >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
