Log Messages

Owning/managing a web server is not the the faint of heart.  All day everyday people try to identify ways to break in and steal information.  Most of the time, they are the dumbest scum on the Internet, who has no idea what they are doing.  Lets take a look at some logs to show examples!

Example 1: Pages Don’t Exist, Wrong Device, Wrong Everything

[Tue Apr 12 05:58:23 2011] [error] [client 41.206.79.214] (36)File name too long: access to /exploits/smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0 failed
[Tue Apr 12 05:58:24 2011] [error] [client 41.206.79.214] (36)File name too long: access to /exploits/smb_new&acct=a&data1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data2=0 failed
[Tue Apr 12 05:58:24 2011] [error] [client 41.206.79.214] (36)File name too long: access to /exploits/smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0 failed

So that shows up in our logs, lets see whats going on here.  First, who is it?  Doing a quick GEO-IP search shows they are from the Ivory Coast (source).  So what were they looking to exploit here?  Lets google the string:

smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0

Second link down: http://www.exploit-db.com/exploits/8187/.  So according to that exploit, the person tried to do a NAS device.  Now, we’ll give some credit, the NAS adapter runs a web interface.  According to banner pulls from the server though, it is definitely not a NAS adapter.

Example 2: Proxy Check

These scans happen constantly, people checking to see if your server is set up as a proxy (definition).  For some reason they always try twice also.  No idea why, but enjoy!

[Tue Apr 12 16:04:35 2011] [error] [client 85.190.0.3] File does not exist: /freenode-proxy-checker.txt
[Tue Apr 12 16:04:35 2011] [error] [client 85.190.0.3] File does not exist: /freenode-proxy-checker.txt
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "POST http://213.92.8.7:31204/ HTTP/1.0" 404 385 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 451 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "GET http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 411 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 451 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "POST http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 411 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 451 "-" "-"
85.190.0.3 - - [01/May/2011:13:00:38 -0400] "GET http://vlad-tepes.bofh.it/freenode-proxy-checker.txt HTTP/1.0" 404 411 "-" "-"

Example 3: WebApp check

These scans also tend to be prevalent.  I enjoy these though, as some times you will see a web app that you don’t recognize.  Often this means there is a new attack on that software, that sometimes isn’t public.

[Tue Apr 12 18:33:30 2011] [error] [client 82.135.156.169] File does not exist: /phpmyadmin
[Tue Apr 12 18:33:30 2011] [error] [client 82.135.156.169] File does not exist: /pma
[Tue Apr 12 18:33:31 2011] [error] [client 82.135.156.169] File does not exist: /admin
[Tue Apr 12 18:33:31 2011] [error] [client 82.135.156.169] File does not exist: /dbadmin
[Tue Apr 12 18:33:31 2011] [error] [client 82.135.156.169] File does not exist: /mysql
[Tue Apr 12 18:33:32 2011] [error] [client 82.135.156.169] File does not exist: /php-my-admin
[Tue Apr 12 18:33:32 2011] [error] [client 82.135.156.169] File does not exist: /myadmin
[Tue Apr 12 18:33:32 2011] [error] [client 82.135.156.169] File does not exist: /PHPMYADMIN
[Tue Apr 12 18:33:32 2011] [error] [client 82.135.156.169] File does not exist: /phpMyAdmin
[Tue Apr 12 18:33:33 2011] [error] [client 82.135.156.169] File does not exist: /config
[Tue Apr 12 18:33:33 2011] [error] [client 82.135.156.169] File does not exist: /phppgadmin
[Tue Apr 12 18:33:33 2011] [error] [client 82.135.156.169] File does not exist: /phpmyadmin2
[Tue Apr 12 18:33:33 2011] [error] [client 82.135.156.169] File does not exist: /phpMyAdmin2
[Tue Apr 12 18:33:34 2011] [error] [client 82.135.156.169] File does not exist: /mail
[Tue Apr 12 18:33:34 2011] [error] [client 82.135.156.169] File does not exist: /webmail
[Wed May 04 05:36:35 2011] [error] [client 123.30.109.21] File does not exist: /w00tw00t.at.blackhats.romanian.anti-sec:)
[Wed May 04 05:36:36 2011] [error] [client 123.30.109.21] File does not exist: /MyAdmin
[Wed May 04 05:36:36 2011] [error] [client 123.30.109.21] File does not exist: /phpmyadmin
[Wed May 04 05:38:06 2011] [error] [client 123.30.109.21] File does not exist: /w00tw00t.at.blackhats.romanian.anti-sec:)
[Wed May 04 05:38:07 2011] [error] [client 123.30.109.21] File does not exist: /MyAdmin
[Wed May 04 05:38:07 2011] [error] [client 123.30.109.21] File does not exist: /phpmyadmin

The w00tw00t scans are actually quite common, and as long as they are [error] or 404, there is nothing to be afraid of.  This is simply some idiot trying to find your admin pages with a scanner.  That person is more than likely scanning large chunks of the Internet in this way.  Always remember to use a strong password!

Def not the only one: http://ns2.idynatech.net/ormageddon.com/logs/access_log

Example 4: Hit it and Quit it

I love this one, as it is one request, and nothing more on any of my logs.

87.252.2.168 - - [01/May/2011:15:19:50 -0400] "GET /appConf.htm HTTP/1.1" 404 396 "-" "Python-urllib/2.5"

The first thing to note here is the user agent.  When a person visits a website, that person’s web browser tells the server what browser they are using.  This can be spoofed (given falsely), but often is not.  In this case we have “Python-urllib/2.5”, which means that they were running a python program.  I would say this attacker is not your average run of the mill script kiddie!  Next, we want to know what this appConf.htm page is, and why they may be looking for it.  After a few google searches, we learn a few things: that seems to be for an IP phone (http://support.polycom.com/global/documents/support/technical/products/voice/Digit_Map_Changes_TB11572.pdf) and there are several other people who have gotten 1 connection attempt for that file.  Good to know we aren’t the only ones!

Image References: http://kneeslappers.net/content/owned/owned-script-kiddie.jpg

Comments are closed