Hello, What does your /var/log/httpd/error_log say? Have you done any penetration tests for your server? I can do so if you want.
B/R Ole J -----Opprinnelig melding----- Fra: AM [mailto:[EMAIL PROTECTED] Sendt: 9. mars 2006 13:43 Til: qmailtoaster-list@qmailtoaster.com Emne: [qmailtoaster] oversized httpd log files Hello, I have my centos 4.2 toaster in production for about 300 user's. Everything seems to be working fine except, when I tail my httpd access_log. I see thousands(per day) of bots and third party rejects getting 404 errors. When crond sends me my morning report its in MB's and growing. We start with failed attempts to connect to mod_proxy small example: 172.179.95.251 -> steganos.asknet.de:443 : 2 Time(s) 172.180.18.216 -> steganos.asknet.de:443 : 4 Time(s) 172.181.3.40 -> steganos.asknet.de:443 : 2 Time(s) 172.183.66.100 -> steganos.asknet.de:443 : 4 Time(s) 172.186.0.222 -> steganos.asknet.de:443 : 4 Time(s) 172.211.123.88 -> steganos.asknet.de:443 : 4 Time(s) then the other attemps are logged... today we logged over 3300 attemps another micro snippet: GET http://202.43.219.19/config/login?.patner=sbc&login=drichmond&passwd=duke&.s ave=1 HTTP/1.0 with response code(s) 2 404 responses GET http://209.73.177.65/config/login?.done=http://smallbusiness.yahoo.com/servi ces/index.php&.src=sbs&login=lover_boy_99_ca&passwd=lisa HTTP/1.0 with response code(s) 2 404 responses GET http://us.a1.yimg.com/login.india.yahoo.com/config/login?login=iceman_____98 _1&passwd=yahoo HTTP/1.0 with response code(s) 2 404 responses GET http://us.geo1.yimg.com/login.yahoo.com/config/login?login=kelsey___15&passw d=yahoo HTTP/1.0 with response code(s) 2 404 responses GET http://217.12.4.64/config?&.done=http://jpager.yahoo.com/jpager/pager2.shtml &login=Polykirl&passwd=pooh HTTP/1.0 with response code(s) 2 404 responses GET http://techslave.com/index.php/TechSlave_Security_News?disp=stats HTTP/1.1 with response code(s) 2 404 responses ######################################################### So I made sure that mod_proxy is commented out in the httpd.conf file and httpd is re started. Still my logs grow At one point I have seen the GET turn to WGET which seems like a dangerous call comming from the outside world. Can someone explain to me what is happening and or how to protect myself. I feel like fowarding all my user's and everybody else to /dev/null and getting off the grid ! --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
