I see some strange log activity...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sepoto
Forum Newbie
Posts: 2
Joined: Wed Feb 20, 2013 7:01 pm

I see some strange log activity...

Post by sepoto »

Code: Select all

77.238.208.29 - - [20/Feb/2013:05:54:44 -0800] "GET /cgi-bin/release-msg.cgi?id=%7cid%3b HTTP/1.0" 404 221
66.193.171.236 - - [20/Feb/2013:10:20:20 -0800] "GET /user/soapCaller.bs HTTP/1.1" 404 216
Could this be some kind of exploit?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: I see some strange log activity...

Post by Benjamin »

Sure, but those files don't exist so in this case a 404 error was sent.
sepoto
Forum Newbie
Posts: 2
Joined: Wed Feb 20, 2013 7:01 pm

Re: I see some strange log activity...

Post by sepoto »

Thanks... I'll bear that in mind the next time I see something like those entries.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: I see some strange log activity...

Post by requinix »

Google. First one is tied to a remote command execution exploit in a spam filtering product, second is apparently scanned by the Morfeus bot and "often associated with Drupal".
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: I see some strange log activity...

Post by mecha_godzilla »

Hi,

If you're using a Un*x server then it would be a good idea to install logwatch or something similar if you have the necessary privileges and want to keep an eye on what's going on - in most cases these HTTP requests will just give 404 responses (as requinix has suggested) because some script kiddie is running them and doesn't understand that the exploits included in a five year old Perl script they found on the 'Net yesterday might not work in 2013. If it becomes a *real* problem then you can always create some iptables rules - I was getting hundreds of "/w00tw00t"-style requests every day at one point so I added a rule that does nothing for 60 seconds and then drops the request. Remember, you can't stop people from trying to access your server but you can at least slow them down and make life difficult for them.

You should also make sure that any 3rd party applications you're currently running are up-to-date, because automated exploits can still be effective in this context - there are thousands of sites out there that run ancient versions of Joomla!/osCommerce/Actinic because the site owner doesn't have the money or inclination to pay a developer to update the software for them, which in itself is a fairly arduous task with some software.

If you haven't already done so and have a Un*x server, make sure you also have denyhosts installed.

That (unpaid-for) infomercial was brought to you today by logwatch, iptables and denyhosts, and also by the letters "P", "H", and "P"... :mrgreen:

HTH,

Mecha Godzilla
Post Reply