Fedora Linux Support Community & Resources Center
  #1  
Old 1st July 2007, 01:57 AM
jms318 Offline
Registered User
 
Join Date: Jan 2007
Age: 34
Posts: 15
apache access logs

I'm learning apache and have just begun to learn how to read its access logs.
here is a log I'm not sure what it means?
Code:
70.215.145.110 - - [30/Jun/2007:15:17:11 -0400] "SEARCH /\x90\xc9\xc9\xc9\........ ""  
and this continues for about 200 lines in  the log file and ends with"" 414 326
since this is not a get command is someone trying to gain control of the server or doing a password brut force entry?
just trying to figure out what is happening.

thanks,
Joe
Reply With Quote
  #2  
Old 1st July 2007, 05:02 AM
Zotter Offline
Registered User
 
Join Date: May 2004
Location: Central Wyoming
Posts: 640
Someone trying to crack into your server. It's pretty common and mostly ineffectual. Most of those kinds of attacks are targeted towards IIS servers. They simply bounce off Apache.

However, I do suggest taking a look at the RedHat documentation on securing your web server and explore mod_security for your purposes. Apache can be penetrated - but just not by IIS exploits.

https://www.redhat.com/docs/manuals/...ecurity_Guide/
__________________
If it ain't broken - you're not really trying....
Registered Linux user #227845
Reply With Quote
  #3  
Old 5th July 2007, 12:08 PM
barf Offline
Registered User
 
Join Date: Dec 2004
Location: UK
Age: 59
Posts: 274
A little additional info as your starting out. 400 type reponse codes (like 414) mean your server rejected the request, the 326 is the size of the rejection message and if you trawl through your httpd.conf file you will find a list of the repsonse messages.
__________________
Stop making excuses, start making progress.
Reply With Quote
  #4  
Old 5th July 2007, 12:44 PM
glennzo Offline
Un-Retired Administrator
 
Join Date: Mar 2004
Location: Salem, Mass USA
Age: 57
Posts: 14,765
This is interesting and got my curiosity aroused so I was looking at my access_log. There's loads of hits from 1 ip address, but it looks as thought they're just looking at some pics I put up on the wiki. Same for a few other ip's. Makes sense as I e-mailed a few relatives telling them to 'have a look at these photos'. But there are a few curious lines, like this:
207.46.98.47 - -"GET / HTTP/1.0" 301 - "-" msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
and
207.46.98.47 - - "GET /robots.txt HTTP/1.0" 404 298 "-" "msnbot/1,0 (+http://search.msn..com/msnbot.htm"
I'm not familiar with what these logs should look like. Normal stuff or hand grenade time?

Edit: Interesting. In a terminal, the command tail -f /etc/httpd/logs/access_log gives me a real time look at the hits on the wiki. I'm using a second tab in Firefox on another computer and accessing the wiki, so I know that the ip address is my public ip. As I move around the wiki the log updates. Neat.
__________________
Glenn
The Bassinator © ®

[SIGPIC][/SIGPIC]
Laptop: Just a couple of old single core units
Desktop: BioStar MCP6PB M2+ / AMD Phenom 9750 Quad Core / 4GB / Kingston HyperX 3K SSD 240GB SATA 3.0 / 1TB SATA / EVGA GeForce 8400 GS 1GB

Last edited by glennzo; 5th July 2007 at 01:00 PM.
Reply With Quote
  #5  
Old 5th July 2007, 01:41 PM
ibbo Offline
Registered User
 
Join Date: Jun 2005
Location: Leeds
Posts: 1,264
/\x90\xc9\xc9\xc9\

This is a common webdav IIS exploit. Thus if your using linux and apache (which you are) you can laugh to yourself and state muppets.

You can use denyhosts or tcpwrappers to cut this offenders IP out of been responded to if it troubles you.

Ibbo
__________________
A Hangover Lasts A Day, But Our Drunken Memories Last A Lifetime
--
Linux user #349545
(GNU/Linux)iD8DBQBAzWjX+MZAIjBWXGURAmflAKCntuBbuKCWenpm XoA7LNydllVQOwCfdjyzXscddzQvlhBedAcD7qfKmHo==zx0H
Reply With Quote
Reply

Tags
access, apache, logs

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache File Transfer Logs Jamwa Programming & Packaging 1 18th September 2009 10:38 AM
Convert Apache-logs to IIS-logs locodude Servers & Networking 3 29th November 2007 05:55 PM
apache logs JB05 Security and Privacy 3 9th May 2005 06:12 AM
Help with apache logs hdcleaver Servers & Networking 6 1st May 2005 09:22 PM


Current GMT-time: 06:42 (Thursday, 23-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Al Jubayl Travel Photos on Instagram - Almeria - Bhit Shah Photos on Instagram