hi folks, i need some help with intepreting webserver logfiles (apache logs). while setting up my ossec-test environment for my thesis project, I've also setup a wordpress on an apache webserver as a "honeypot". although there's no real content, except the standard wordpress posts & pages that comes with the installation, I already have some "visitors". I see these dubious looking requests. I'm not sure if these are threats/attacks against my wordpress installation. I'm not really familiar with apache logs, but I need some threats/attacks to explain in my thesis. I thought this would be the best way to get started.
I have PLENTY of the following requests in my httpd logs Src IP: 115.239.228.8 115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] "GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)" Judging by the HTTP status code it's not really a threat, right? it's probaly just some hacker with a tool who's looking for vulnerabilities? or is this just nonsense/junk? Received From: tron->/var/log/httpd/access_log Rule: 31515 fired (level 6) -> "PHPMyAdmin scans (looking for setup.php)." Portion of the log(s): 178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 309 "-" "-" also this Received From: tron->/var/log/httpd/access_log Rule: 31101 fired (level 5) -> "Web server 400 error code." Portion of the log(s): 202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] "HEAD /ossec-wui/index.php HTTP/1.1" 401 - "-" "-" i'm surprised they found out about it.....glad i protected it with htaccess and they didn't come in. ;) and lots of other requests that return HTTP 403 (forbidden) or 404 (not found) i'm not quite sure what to make of it. i didn't realise my server was so exposed....did they just find the IP by scanning for http ports?! looking to some feedback, theresa -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
