Page 1 of 1
I see some strange log activity...
Posted: Wed Feb 20, 2013 7:04 pm
by sepoto
Code: Select all
77.238.208.29 - - [20/Feb/2013:05:54:44 -0800] "GET /cgi-bin/release-msg.cgi?id=%7cid%3b HTTP/1.0" 404 221
66.193.171.236 - - [20/Feb/2013:10:20:20 -0800] "GET /user/soapCaller.bs HTTP/1.1" 404 216
Could this be some kind of exploit?
Re: I see some strange log activity...
Posted: Wed Feb 20, 2013 7:17 pm
by Benjamin
Sure, but those files don't exist so in this case a 404 error was sent.
Re: I see some strange log activity...
Posted: Wed Feb 20, 2013 7:22 pm
by sepoto
Thanks... I'll bear that in mind the next time I see something like those entries.
Re: I see some strange log activity...
Posted: Wed Feb 20, 2013 8:12 pm
by requinix
Google. First one is tied to a remote command execution exploit in a spam filtering product, second is apparently scanned by the Morfeus bot and "often associated with Drupal".
Re: I see some strange log activity...
Posted: Thu Feb 21, 2013 7:46 pm
by mecha_godzilla
Hi,
If you're using a Un*x server then it would be a good idea to install logwatch or something similar if you have the necessary privileges and want to keep an eye on what's going on - in most cases these HTTP requests will just give 404 responses (as requinix has suggested) because some script kiddie is running them and doesn't understand that the exploits included in a five year old Perl script they found on the 'Net yesterday might not work in 2013. If it becomes a *real* problem then you can always create some iptables rules - I was getting hundreds of "/w00tw00t"-style requests every day at one point so I added a rule that does nothing for 60 seconds and then drops the request. Remember, you can't stop people from trying to access your server but you can at least slow them down and make life difficult for them.
You should also make sure that any 3rd party applications you're currently running are up-to-date, because automated exploits can still be effective in this context - there are thousands of sites out there that run ancient versions of Joomla!/osCommerce/Actinic because the site owner doesn't have the money or inclination to pay a developer to update the software for them, which in itself is a fairly arduous task with some software.
If you haven't already done so and have a Un*x server, make sure you also have denyhosts installed.
That (unpaid-for) infomercial was brought to you today by logwatch, iptables and denyhosts, and also by the letters "P", "H", and "P"...
HTH,
Mecha Godzilla