Security - Monitor Default Web Logs

SignalQ Sites:
L1G3R Information Systems - Coprolite - SpotBridge - NAW
RoboCoop - AreWeDown - SolarPower - SysAdminTools
Xfig - Gold Loaf - GeekPapa - FixGMC - FixRambler
Solar Energy - Energy Efficiency - Solar Panels
Home Energy Savings

Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Ruby
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·ERP
·REALbasic
·All Categories

Monitor Default Web Logs
Topic:Security Date: 2006-03-25
Printer Friendly:

<< < > >>

Subject

Most web addresses are all name based on the server side. That is, netadmintools.com and associated logs are tracked in a different file than requests to the IP address. The first entry in the VirtualHost section of the httpd.conf file for Apache is where the requests without a name go. Stick a very simple page at this address. Don't go putting stuff available here that could be vulnerable. As a general rule, don't put any PHP stuff here. Look through the logs at the default address to see what the bot armies are looking for. Here is a compromised machine that is searching for something to invade that hit one of our servers an hour ago:

7 $ grep 1.2.3.4 access_log 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /forum/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpBB/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET / HTTP/1.1" 200 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /forums/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpbb/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /board/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /boards/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:12 -0800] "GET /phpBB2/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /msgboard/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /foros/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" 1.2.3.4 - - [25/Mar/2006:07:01:13 -0800] "GET /portal/ HTTP/1.1" 404 1178 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)" [qtower@main logs]$

If you see something besides 404, pay attention, as your site is being watched by a million hosts waiting for a flaw. Remember that to ease installation, some packages will install across your entire web server, so /phpBB2/ will work across all domains including the default.

People:
Places:
Things:
Times:

Please read our Terms of Use and our Privacy Policy
Microsoft, Windows, Windows XP, Windows 2003, Windows 2000, and NT are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2011 NetAdminTools.com