I checked my log files and im kinda surprised and confused about some entries on my access_log file.


213.133.101.206 - - [19/Apr/2005:17:34:57 +0800] "GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 380
213.133.101.206 - - [19/Apr/2005:17:34:57 +0800] "GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1" 404 372
213.133.101.206 - - [19/Apr/2005:17:34:58 +0800] "GET //cgi/awstats.pl \"w;wget\" HTTP/1.1" 404 368
213.133.101.206 - - [19/Apr/2005:17:34:59 +0800] "GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 376
213.133.101.206 - - [19/Apr/2005:17:34:59 +0800] "GET //awstats/awstats.pl \"w;wget\" HTTP/1.1" 404 372
213.133.101.206 - - [19/Apr/2005:17:35:03 +0800] "GET //awstats.pl \"w;wget\" HTTP/1.1" 404 364
213.133.101.206 - - [19/Apr/2005:17:35:04 +0800] "GET //stats/awstats.pl HTTP/1.1" 404 370
213.133.101.206 - - [19/Apr/2005:17:35:05 +0800] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 404 378
213.133.101.206 - - [19/Apr/2005:17:35:05 +0800] "GET //cgi/stats/awstats.pl HTTP/1.1" 404 374
213.133.101.206 - - [19/Apr/2005:17:35:06 +0800] "GET / HTTP/1.1" 200 26051


Does it look like a hacking attempt? Just curious.

I think the user is trying to guess my directory structure or something by trying to access awstats. FYI, I kinda broadcasted my IP here yesterday trying to solve some problems. My IP is dynamic so I thought it wouldn't be an issue but turns out that someone tried to get access when I forgot to forcefully change my IP.

Yeah, a script is looking to see if you have the awstats package installed in a likely location. If you did, it would then run known old attacks against it to try to take over your machine.

No awstats, no worries.

oh hey, you again :P

Thanks for all your help AndyGreen.

And I assume that it's not his real IP, unless he's a stupid trying-hard hacker :D
*EDIT* Hmm... That is his IP... I tried http://213.133.101.206/ and a page comes up.

No, it seems to be a Linux box at a cheapo hosting company. Someone either purchased it with a stolen card details and uses it for hacks, or it has been 0wned, or it is some stupid kid.

I would copy to log to abuse@hetzner.de

BTW... if you see an IP from a TCP connection in your logs, it is ALWAYS real (at least until the next amazing hack comes out). The way TCP connections work the originator of the connection is required to pass back a token it is given. A faker doesn't get the token to give it back.

Well, on my firestarter log, there are entries saying that someone has been using/trying to connect to my ssh port. Thanks again man.

That's another automated scripted "attack" using common logins like "test" and passwords like "password". On my server I moved sshd away from port 22 to make it tough for more evolved future versions of that script to get anywhere on my box.

why the hell are they doing that for anyways? I got nothing to hide. LOL

Nothing to hide? Then add a user "test" with password "password"! ;-) Maybe they will come in and fix some things on your sever, add some new Desktop Backgrounds ;-)

haha. mess up my server eh. i get it. lol

Naaahhhh--usually it is just really helpful people that would like to help you by remote admining your websiteand are too shy to ask directly. :rolleyes:

ROFL.... funny...

Now that would be really helpful. ROFL

what they usually do is find servers with plenty of bandwidth and use them for warez transfers under your nose.

btw you might be interested in reading this (http://www.securityfocus.com/archive/75/393292). same attack, and the script kiddie explains to the sysadmin how he did it. lol :D

wow... interesting article. I didnt know that it was a known exploit and that a hacker can make your box connect to his box. Hmm... Im now thinking twice about my outbound connections.