Clayton escribió: > The webserver gets blasted by people looking for primarily php > exploits, although I see probes for my cgi-bin, ruby, MySQL and a few > others. None of which are installed/available on this webserver. I > also see random attempts from unknown IPs to log into the secured > area. I'm interested in seeing this stuff when it happens... not 2 or > 3 days later when I happen to remember to look at the logs.
Those are automated bots , very frecuently seen in the wild, those bots generally attempts to exploit 1. Mambo/joomla vulnerabilites that abuses a hole in PHP itself (GLOBALS overwrite). no SUSE packages are actually affected by this problem and even more, in 10.2 attempting to exploit any variation or a possible unknown vuln in the same routines is forbidden by suhosin, so cannot happend anymore ;-) 2. innumerable phpbb holes, messy code. no hope of improvement. 3. buggy mail forms to find a way to send spam/black mail... 4. PHP remote code execution ad nauseum, abusing include() or require() PHP statements, not possible to exploit this by default in php 5.2.0, even more restrictive in 5.2.1. SUSE 10.2 packages wont let the attacker to use this trick either ;-) > > This has to be information that web admins are interested in... admins may be interested on this information when they actually have vulnerable code installed, although nice for graphs/stats you are much better spending your time improving the secuirty of your system rather than seeing logs =) but anyway..a good real time log analyzer is http://www.splunk.com/ (commercial software though)
signature.asc
Description: OpenPGP digital signature
