apache access logs

jms318 · #1 1st July 2007, 01:57 AM

I'm learning apache and have just begun to learn how to read its access logs.
here is a log I'm not sure what it means?

Code:

70.215.145.110 - - [30/Jun/2007:15:17:11 -0400] "SEARCH /\x90\xc9\xc9\xc9\........ ""  
and this continues for about 200 lines in  the log file and ends with"" 414 326

since this is not a get command is someone trying to gain control of the server or doing a password brut force entry?
just trying to figure out what is happening.

thanks,
Joe

Zotter · #2 1st July 2007, 05:02 AM

Someone trying to crack into your server. It's pretty common and mostly ineffectual. Most of those kinds of attacks are targeted towards IIS servers. They simply bounce off Apache.

However, I do suggest taking a look at the RedHat documentation on securing your web server and explore mod_security for your purposes. Apache can be penetrated - but just not by IIS exploits.

https://www.redhat.com/docs/manuals/...ecurity_Guide/

barf · #3 5th July 2007, 12:08 PM

A little additional info as your starting out. 400 type reponse codes (like 414) mean your server rejected the request, the 326 is the size of the rejection message and if you trawl through your httpd.conf file you will find a list of the repsonse messages.

***glennzo*** · #4 5th July 2007, 12:44 PM

This is interesting and got my curiosity aroused so I was looking at my access_log. There's loads of hits from 1 ip address, but it looks as thought they're just looking at some pics I put up on the wiki. Same for a few other ip's. Makes sense as I e-mailed a few relatives telling them to 'have a look at these photos'. But there are a few curious lines, like this:
207.46.98.47 - -"GET / HTTP/1.0" 301 - "-" msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
and
207.46.98.47 - - "GET /robots.txt HTTP/1.0" 404 298 "-" "msnbot/1,0 (+http://search.msn..com/msnbot.htm"
I'm not familiar with what these logs should look like. Normal stuff or hand grenade time?

Edit: Interesting. In a terminal, the command tail -f /etc/httpd/logs/access_log gives me a real time look at the hits on the wiki. I'm using a second tab in Firefox on another computer and accessing the wiki, so I know that the ip address is my public ip. As I move around the wiki the log updates. Neat.

ibbo · #5 5th July 2007, 01:41 PM

/\x90\xc9\xc9\xc9\

This is a common webdav IIS exploit. Thus if your using linux and apache (which you are) you can laugh to yourself and state muppets.

You can use denyhosts or tcpwrappers to cut this offenders IP out of been responded to if it troubles you.

Ibbo