I just installed OpenBSD on my server in early March 2007. I am running an Apache web server out of my house. I am tracking 4.0 STABLE which I updated the day after the latest security advisory. I recently noticed some peculiar entries in my Apache error and access logs.
From /var/www/logs/error_log:
[Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does not exist: /htdocs/Provy_OK.html [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/thisdoesnotexistahaha.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cmd.php [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/Cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cacti/cmd.php [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/portal/cmd.php [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does not exist: /htdocs/stats/cmd.php [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
From /var/www/logs/access_log:
211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html HTTP/1.1" 404 219 "-" "-" 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Win dows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /cmd.php HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /Cacti/cmd.php HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /cacti/cmd.php HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /portal/cacti/cmd.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /portal/cmd.php HTTP/1.1" 404 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] "GET /stats/cmd.php HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-" Relevant sections from /var/log/pflog: Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0: 211.100.33.61.18484 > 192.168.1.200.80: S 948480759:948480759(0) win 5840 <mss 1460> (DF) Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0: 211.100.33.61.19843 > 192.168.1.200.80: S 948885882:948885882(0) win 5840 <mss 1460> (DF) Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0: 211.100.33.61.18484 > 192.168.1.200.80: F 1995884956:1995884956(0) ack 3143126464 win 5840 (DF) Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.18484: . ack 3247563101 win 17520 (DF) Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack 3247563101 win 17520 (DF) Mar 31 07:35:07.007274 rule 7/(match) pass in on sk0: 211.100.33.61.19843 > 192.168.1.200.80: P 313976237:313976414(177) ack 2599760395 win 5840 (DF) Mar 31 07:35:07.007551 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.19843: P 1628794193:1628794608(415) ack 634909823 win 17520 (DF) Mar 31 07:35:07.011766 rule 7/(match) pass in on sk0: 211.100.33.61.18484 > 192.168.1.200.80: . ack 2 win 5840 (DF) Mar 31 07:35:07.012564 rule 7/(match) pass in on sk0: 211.100.33.61.18484 > 192.168.1.200.80: . ack 2 win 5840 (DF) Mar 31 07:35:07.012577 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.18484: R 882791806:882791806(0) win 0 (DF) Mar 31 07:35:07.530603 rule 7/(match) pass in on sk0: 211.100.33.61.19843 > 192.168.1.200.80: . ack 416 win 6432 (DF) Mar 31 07:35:07.531301 rule 7/(match) pass in on sk0: 211.100.33.61.19843 > 192.168.1.200.80: F 177:177(0) ack 416 win 6432 (DF) Mar 31 07:35:07.531314 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.19843: . ack 634909824 win 17520 (DF) Mar 31 07:35:07.531349 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 211.100.33.61.19843: F 1628794608:1628794608(0) ack 634909824 win 17520 (DF) Mar 31 07:35:08.026078 rule 7/(match) pass in on sk0: 211.100.33.61.19843 > 192.168.1.200.80: . ack 417 win 6432 (DF) Mar 31 07:40:20.734863 rule 7/(match) pass in on sk0: 195.242.236.131.50589 > 192.168.1.200.80: S 659790987:659790987(0) win 5840 <mss 1460,sackOK,timestamp 136657612[|tcp]> (DF) Mar 31 07:40:20.997669 rule 7/(match) pass in on sk0: 195.242.236.131.50589 > 192.168.1.200.80: P 2993725956:2993726166(210) ack 3385222108 win 5840 (DF) Mar 31 07:40:20.997846 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50589: P 2654253311:2654253757(446) ack 1961032538 win 17520 (DF) Mar 31 07:40:20.997935 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50589: F 2654253757:2654253757(0) ack 1961032538 win 17520 (DF) Mar 31 07:40:21.125280 rule 7/(match) pass in on sk0: 195.242.236.131.50589 > 192.168.1.200.80: . ack 1 win 5840 (DF) Mar 31 07:40:21.125978 rule 7/(match) pass in on sk0: 195.242.236.131.50589 > 192.168.1.200.80: . ack 448 win 6432 (DF) Mar 31 07:40:21.127378 rule 7/(match) pass in on sk0: 195.242.236.131.50737 > 192.168.1.200.80: S 664746290:664746290(0) win 5840 <mss 1460,sackOK,timestamp 136658004[|tcp]> (DF) Mar 31 07:40:21.391191 rule 7/(match) pass in on sk0: 195.242.236.131.50737 > 192.168.1.200.80: P 2113571543:2113571735(192) ack 3113356922 win 5840 (DF) Mar 31 07:40:21.391317 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50737: P 3817201007:3817201435(428) ack 2846142236 win 17520 (DF) Mar 31 07:40:21.391362 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50737: F 3817201435:3817201435(0) ack 2846142236 win 17520 (DF) Mar 31 07:40:21.517504 rule 7/(match) pass in on sk0: 195.242.236.131.50737 > 192.168.1.200.80: . ack 429 win 6432 (DF) Mar 31 07:40:21.522697 rule 7/(match) pass in on sk0: 195.242.236.131.50887 > 192.168.1.200.80: S 664510979:664510979(0) win 5840 <mss 1460,sackOK,timestamp 136658400[|tcp]> (DF) Mar 31 07:40:21.561540 rule 7/(match) pass in on sk0: 195.242.236.131.50737 > 192.168.1.200.80: . ack 430 win 6432 (DF) Mar 31 07:40:21.775142 rule 7/(match) pass in on sk0: 195.242.236.131.50887 > 192.168.1.200.80: P 2492437794:2492437992(198) ack 3989251632 win 5840 (DF) Mar 31 07:40:21.775410 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50887: P 82340975:82341409(434) ack 2467040680 win 17520 (DF) Mar 31 07:40:21.775464 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50887: F 82341409:82341409(0) ack 2467040680 win 17520 (DF) Mar 31 07:40:21.903539 rule 7/(match) pass in on sk0: 195.242.236.131.50887 > 192.168.1.200.80: . ack 435 win 6432 (DF) Mar 31 07:40:21.904946 rule 7/(match) pass in on sk0: 195.242.236.131.51029 > 192.168.1.200.80: S 660745831:660745831(0) win 5840 <mss 1460,sackOK,timestamp 136658782[|tcp]> (DF) Mar 31 07:40:21.943478 rule 7/(match) pass in on sk0: 195.242.236.131.50887 > 192.168.1.200.80: . ack 436 win 6432 (DF) Mar 31 07:40:22.160961 rule 7/(match) pass in on sk0: 195.242.236.131.51029 > 192.168.1.200.80: P 988101772:988101970(198) ack 2152098786 win 5840 (DF) Mar 31 07:40:22.161094 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51029: P 3392744663:3392745097(434) ack 3967611554 win 17520 (DF) Mar 31 07:40:22.161128 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51029: F 3392745097:3392745097(0) ack 3967611554 win 17520 (DF) Mar 31 07:40:22.295862 rule 7/(match) pass in on sk0: 195.242.236.131.51181 > 192.168.1.200.80: S 664937349:664937349(0) win 5840 <mss 1460,sackOK,timestamp 136659174[|tcp]> (DF) Mar 31 07:40:22.296660 rule 7/(match) pass in on sk0: 195.242.236.131.51029 > 192.168.1.200.80: . ack 435 win 6432 (DF) Mar 31 07:40:22.335204 rule 7/(match) pass in on sk0: 195.242.236.131.51029 > 192.168.1.200.80: . ack 436 win 6432 (DF) Mar 31 07:40:22.552287 rule 7/(match) pass in on sk0: 195.242.236.131.51181 > 192.168.1.200.80: P 3218527165:3218527370(205) ack 2376355564 win 5840 (DF) Mar 31 07:40:22.552426 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51181: P 1533854277:1533854718(441) ack 1741377686 win 17520 (DF) Mar 31 07:40:22.552460 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51181: F 1533854718:1533854718(0) ack 1741377686 win 17520 (DF) Mar 31 07:40:22.679199 rule 7/(match) pass in on sk0: 195.242.236.131.51181 > 192.168.1.200.80: . ack 442 win 6432 (DF) Mar 31 07:40:22.684092 rule 7/(match) pass in on sk0: 195.242.236.131.51341 > 192.168.1.200.80: S 666545637:666545637(0) win 5840 <mss 1460,sackOK,timestamp 136659562[|tcp]> (DF) Mar 31 07:40:22.723258 rule 7/(match) pass in on sk0: 195.242.236.131.51181 > 192.168.1.200.80: . ack 443 win 6432 (DF) Mar 31 07:40:22.944213 rule 7/(match) pass in on sk0: 195.242.236.131.51341 > 192.168.1.200.80: P 928207736:928207935(199) ack 2939567050 win 5840 (DF) Mar 31 07:40:22.944478 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51341: P 3342958302:3342958737(435) ack 4033305397 win 17520 (DF) Mar 31 07:40:22.944529 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51341: F 3342958737:3342958737(0) ack 4033305397 win 17520 (DF) Mar 31 07:40:23.077616 rule 7/(match) pass in on sk0: 195.242.236.131.51341 > 192.168.1.200.80: . ack 436 win 6432 (DF) Mar 31 07:40:23.079021 rule 7/(match) pass in on sk0: 195.242.236.131.51484 > 192.168.1.200.80: S 668013181:668013181(0) win 5840 <mss 1460,sackOK,timestamp 136659956[|tcp]> (DF) Mar 31 07:40:23.116758 rule 7/(match) pass in on sk0: 195.242.236.131.51341 > 192.168.1.200.80: . ack 437 win 6432 (DF) Mar 31 07:40:23.331750 rule 7/(match) pass in on sk0: 195.242.236.131.51484 > 192.168.1.200.80: P 646327856:646328054(198) ack 3743701177 win 5840 (DF) Mar 31 07:40:23.332306 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51484: P 1661774774:1661775208(434) ack 21685524 win 17520 (DF) Mar 31 07:40:23.332376 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51484: F 1661775208:1661775208(0) ack 21685524 win 17520 (DF) Mar 31 07:40:23.458560 rule 7/(match) pass in on sk0: 195.242.236.131.51484 > 192.168.1.200.80: . ack 435 win 6432 (DF) Mar 31 07:40:23.464347 rule 7/(match) pass in on sk0: 195.242.236.131.51341 > 192.168.1.200.80: F 199:199(0) ack 437 win 6432 (DF) Mar 31 07:40:23.464375 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51341: . ack 4033305398 win 17520 (DF) Mar 31 07:40:23.465247 rule 7/(match) pass in on sk0: 195.242.236.131.51181 > 192.168.1.200.80: F 205:205(0) ack 443 win 6432 (DF) Mar 31 07:40:23.465270 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51181: . ack 1741377687 win 17520 (DF) Mar 31 07:40:23.465546 rule 7/(match) pass in on sk0: 195.242.236.131.51484 > 192.168.1.200.80: F 198:198(0) ack 436 win 6432 (DF) Mar 31 07:40:23.465568 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51484: . ack 21685525 win 17520 (DF) Mar 31 07:40:23.465845 rule 7/(match) pass in on sk0: 195.242.236.131.50589 > 192.168.1.200.80: F 210:210(0) ack 448 win 6432 (DF) Mar 31 07:40:23.465876 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50589: . ack 1961032539 win 17520 (DF) Mar 31 07:40:23.466144 rule 7/(match) pass in on sk0: 195.242.236.131.50887 > 192.168.1.200.80: F 198:198(0) ack 436 win 6432 (DF) Mar 31 07:40:23.466168 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50887: . ack 2467040681 win 17520 (DF) Mar 31 07:40:23.466445 rule 7/(match) pass in on sk0: 195.242.236.131.50737 > 192.168.1.200.80: F 192:192(0) ack 430 win 6432 (DF) Mar 31 07:40:23.466467 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.50737: . ack 2846142237 win 17520 (DF) Mar 31 07:40:23.466744 rule 7/(match) pass in on sk0: 195.242.236.131.51029 > 192.168.1.200.80: F 198:198(0) ack 436 win 6432 (DF) Mar 31 07:40:23.466767 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 195.242.236.131.51029: . ack 3967611555 win 17520 (DF) Apr 01 00:11:32.047573 rule 7/(match) pass in on sk0: 212.31.237.145.4688 > 192.168.1.200.80: S 647726682:647726682(0) win 64512 <mss 1260,nop,nop,sackOK> (DF) Apr 01 00:11:32.314156 rule 7/(match) pass in on sk0: 212.31.237.145.4688 > 192.168.1.200.80: P 3890426427:3890426473(46) ack 2587319106 win 64512 (DF) Apr 01 00:11:32.314319 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 212.31.237.145.4688: P 2148181408:2148181960(552) ack 1052267598 win 17640 (DF) Apr 01 00:11:32.314371 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 212.31.237.145.4688: F 2148181960:2148181960(0) ack 1052267598 win 17640 (DF) Apr 01 00:11:32.450753 rule 7/(match) pass in on sk0: 212.31.237.145.4688 > 192.168.1.200.80: . ack 1 win 64512 (DF) Apr 01 00:11:32.453148 rule 7/(match) pass in on sk0: 212.31.237.145.4688 > 192.168.1.200.80: R 46:46(0) ack 554 win 0 (DF) Apr 01 00:11:32.453847 rule 7/(match) pass in on sk0: 212.31.237.145.4688 > 192.168.1.200.80: . ack 554 win 63960 (DF) Apr 01 00:11:32.453860 rule 7/(match) pass out on sk0: 192.168.1.200.80 > 212.31.237.145.4688: R 440533770:440533770(0) win 0 (DF) I have not noticed any weirdness in any other logs files. What can I do to stop this from happening? Thanks in advance. -- Sean Malloy Registered GNU/Linux User #417855 Happy Hacking! ;-) www.catgrepsort.com