Weird log entry / Security concern
The Doctor
194.102.94.245 - - [10/Oct/2009:03:45:00 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
217.23.143.149 - - [10/Oct/2009:16:06:31 -0600] "GET /tikiwiki/var/log/irc/www.nk.ca/chid.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
72.30.142.175 - - [10/Oct/2009:18:34:17 -0600] "GET /tikiwiki/as.php HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
194.102.94.245 - - [10/Oct/2009:23:47:35 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
93.112.91.3 - - [11/Oct/2009:01:13:51 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
194.102.94.245 - - [11/Oct/2009:23:24:01 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8) Gecko Firefox/2.0"
195.214.79.22 - - [12/Oct/2009:06:11:00 -0600] "GET /tikiwiki/styles/geo/id.txt?? HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; en-US)"
93.112.91.3 - - [12/Oct/2009:08:22:18 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
194.102.94.245 - - [12/Oct/2009:10:28:08 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
I do not have tikiwiki on the server.
What should I be looking for?
--
Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising!
http://twitter.com/rootnl2k http://www.myspace.com/502748630
For the latest World News go to http://www.cuttingedge.org/
Keith Keller
On 2009-10-12, The Doctor <doc...@doctor.nl2k.ab.ca> wrote:
> I see this in my logs:
>
> 194.102.94.245 - - [10/Oct/2009:03:45:00 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
[snip]
> I do not have tikiwiki on the server.
Well, you may have *something* there--the 302 status code is often used
for a redirection. So your web server is configured to send a
redirection when asked for those URLs. If the web server didn't know
anything at all about it, it'd return a 404 status instead, so the 302
is definitely cause for some concern.
> What should I be looking for?
Look at your apache configuration, and look carefully at your
DocumentRoot to see if someone has put a /tikiwiki/ directory there, or
an .htaccess file at DocumentRoot. If you find these things, and you
or someone you know didn't put them there, you've been compromised.
(It may be something as harmless as a mistyped directive in your
htptd.conf file.) (This is all assuming Apache; for a different web
server do the comparable tasks in that environment.)
--keith
--
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Todd H.
> I see this in my logs:
>
> 194.102.94.245 - - [10/Oct/2009:03:45:00 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
> 217.23.143.149 - - [10/Oct/2009:16:06:31 -0600] "GET /tikiwiki/var/log/irc/www.nk.ca/chid.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
> 72.30.142.175 - - [10/Oct/2009:18:34:17 -0600] "GET /tikiwiki/as.php HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
> 194.102.94.245 - - [10/Oct/2009:23:47:35 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
> 93.112.91.3 - - [11/Oct/2009:01:13:51 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
> 194.102.94.245 - - [11/Oct/2009:23:24:01 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8) Gecko Firefox/2.0"
> 195.214.79.22 - - [12/Oct/2009:06:11:00 -0600] "GET /tikiwiki/styles/geo/id.txt?? HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; en-US)"
> 93.112.91.3 - - [12/Oct/2009:08:22:18 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
> 194.102.94.245 - - [12/Oct/2009:10:28:08 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
>
> I do not have tikiwiki on the server.
>
> What should I be looking for?
Could just be someone scanning for vulnerable tikiwiki installations.
If you don't have one, there may not be any cnocern at all.
I agree with teh other response that the 302 should be looked into.
It not being a 404 response may be making scanners spend a little more
time digging around than they might otherwise.
--
Todd H.
http://www.toddh.net/
The Doctor
Keith Keller <kkeller...@wombat.san-francisco.ca.us> wrote:
>["Followup-To:" header set to comp.security.unix.]
>
>On 2009-10-12, The Doctor <doc...@doctor.nl2k.ab.ca> wrote:
>> I see this in my logs:
>>
>> 194.102.94.245 - - [10/Oct/2009:03:45:00 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
>
>[snip]
>
>> I do not have tikiwiki on the server.
>
>Well, you may have *something* there--the 302 status code is often used
>for a redirection. So your web server is configured to send a
>redirection when asked for those URLs. If the web server didn't know
>anything at all about it, it'd return a 404 status instead, so the 302
>is definitely cause for some concern.
>
>> What should I be looking for?
>
>Look at your apache configuration, and look carefully at your
>DocumentRoot to see if someone has put a /tikiwiki/ directory there, or
>an .htaccess file at DocumentRoot. If you find these things, and you
>or someone you know didn't put them there, you've been compromised.
>(It may be something as harmless as a mistyped directive in your
>htptd.conf file.) (This is all assuming Apache; for a different web
>server do the comparable tasks in that environment.)
>
>--keith
>
Yes this is Apache. Still no tikiwiki subdir .
The Doctor
Paul Rubin
> I will look up the 302 in the Apache manuals.
You won't find it in the apache manuals. You should first try sending
the same request through your server and see if you get a redirect,
and if yes, figure out why. If not, and if those redirects keep
showing up in your logs, then put some more instrumentation into
apache to see what the actual incoming requests are.
Keith Keller
>
> Yes this is Apache. Still no tikiwiki subdir .
Okay, but not having the subdirectory doesn't mean there's no problem.
You need to check your Apache configuration (and look for an .htaccess
file, as I mentioned, in DocumentRoot), and in general need to figure
out *why* Apache is sending out a redirect.
As another poster noted, the Apache manual won't really help you here--
you know what 302 is, you need to know what's causing Apache to return
it. If you can't find out, I really think you should wipe the box and
restore from backups, making sure the new configuration isn't repeating
the same behavior. The 302 in and of itself isn't really harmful, but
the fact that someone may have control of your webserver is.
Klaus Johannes Rusch
>>> I do not have tikiwiki on the server.
Even if those URLs are not valid on your server, any chance there are
links to these resources, e.g. from
http://www.nk.ca/usage/usage_200810.phtml?
--
Klaus Johannes Rusch
Klaus...@atmedia.net
http://www.atmedia.net/KlausRusch/
jboss
> I see this in my logs:
>
> 194.102.94.245 - - [10/Oct/2009:03:45:00 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
> 72.30.142.175 - - [10/Oct/2009:18:34:17 -0600] "GET /tikiwiki/as.php HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0;http://help.yahoo.com/help/us/ysearch/slurp)"
> 194.102.94.245 - - [10/Oct/2009:23:47:35 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
> 93.112.91.3 - - [11/Oct/2009:01:13:51 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
> 194.102.94.245 - - [11/Oct/2009:23:24:01 -0600] "GET /tikiwiki/styles/geo/sct.txt HTTP/1.0" 302 340 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8) Gecko Firefox/2.0"
> 195.214.79.22 - - [12/Oct/2009:06:11:00 -0600] "GET /tikiwiki/styles/geo/id.txt?? HTTP/1.0" 302 340 "-" "Mozilla/5.0 (compatible; en-US)"
> 93.112.91.3 - - [12/Oct/2009:08:22:18 -0600] "GET /tikiwiki/styles/geo/id.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
> 194.102.94.245 - - [12/Oct/2009:10:28:08 -0600] "GET /tikiwiki/styles/geo/spread.txt HTTP/1.0" 302 340 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)"
>
> I do not have tikiwiki on the server.
>
> What should I be looking for?
>
> --
> Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
> For the latest World News go tohttp://www.cuttingedge.org/
These are robots that are scranning your Server. If you are using
Apache and I believe
you are than your IP is letting them into your computer.
This is the access.log on my system. These should not be getting
through.
You are going to need to edit your httpd.conf file to read from the
lmhost file
and change the IP address that it is using so it is not reading a
mymachine.com like
IP. Because the server is mapped to your IP the whois servers are able
to find it.
122.227.164.96 - - [16/Nov/2009:13:09:01 -0600] "GET
http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 205
220.194.46.2 - - [16/Nov/2009:13:43:36 -0600] "GET /phpMyAdmin//
scripts/setup.php HTTP/1.1" 404 227
217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /roundcube/README
HTTP/1.1" 404 214
217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /webmail/README
HTTP/1.1" 404 212
217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /mail/README HTTP/
1.1" 404 209
217.79.182.245 - - [16/Nov/2009:18:57:03 -0600] "GET /README HTTP/1.1"
404 204
122.227.164.96 - - [16/Nov/2009:20:43:15 -0600] "GET
http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 205
61.160.216.63 - - [16/Nov/2009:22:09:02 -0600] "GET
http://www.wantsfly.com/prx2.php?hash=9CDF3AE8476B0849433C7012005099A52FA2F341AC6D
HTTP/1.0" 404 206
122.227.164.96 - - [16/Nov/2009:23:31:03 -0600] "GET
http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 205
Next if you see this in your error.log:
[Sun Nov 15 22:33:28 2009] [warn] (OS 121)The semaphore timeout period
has expired. : winnt_accept: Asynchronous AcceptEx failed.
[Sun Nov 15 23:58:27 2009] [warn] (OS 121)The semaphore timeout period
has expired. : winnt_accept: Asynchronous AcceptEx failed.
than you need to add this to your httpd.conf file
EnableSendfile off
Win32DisableAcceptEx
Next write a robot.txt file and put it in the root of the server it
looks like this
User-agent:*
Disallow: /
if you need to add the real name of the robot where the * is but this
is suposed to cover
them all.
Next if you see these in your error.log than there are some bots
trying to get into
your server for passwords and configurations files:
[Mon Nov 16 00:46:07 2009] [error] [client 220.194.46.2] File does not
exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/
scripts
[Mon Nov 16 00:46:08 2009] [error] [client 220.194.46.2] File does not
exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/
scripts
[Mon Nov 16 00:46:10 2009] [error] [client 220.194.46.2] File does not
exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/
sql
[Mon Nov 16 00:46:11 2009] [error] [client 220.194.46.2] File does not
exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/
mysql
They are up to no good.
But I think the best way to solve all of this is to configure the
httpd.conf file to read
from the lmhosts file with the local host as 127.0.0.1 windows server
file.
67.60.112.18 - - [17/Nov/2009:00:42:58 -0600] "GET /manual/ HTTP/1.1"
304 -
Not from the IP address which is assigned by the DHCP and you should
see that these messages
are gone.Look at the above. That is my IP Address of my ISP.
This IP when it tries to get files get this message:
217.79.182.245 - - [16/Nov/2009:18:57:03 -0600] "GET /README HTTP/1.1"
404 204
which means it is not able to find the file.
Look at this next line:
61.160.216.63 - - [16/Nov/2009:22:09:02 -0600] "GET
http://www.wantsfly.com/prx2.php?hash=9CDF3AE8476B0849433C7012005099A52FA2F341AC6D
HTTP/1.0" 404 206
Do a bing run on the 194.102.94.245 IP address which you supplied and
you will see that it
brings up a reference to this page. That's a google bot.
jboss
> 220.194.46.2 - - [16/Nov/2009:13:43:36 -0600] "GET /phpMyAdmin//
> scripts/setup.php HTTP/1.1" 404 227
> 217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /roundcube/README
> HTTP/1.1" 404 214
> 217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /webmail/README
> HTTP/1.1" 404 212
> 217.79.182.245 - - [16/Nov/2009:18:57:02 -0600] "GET /mail/README HTTP/
> 1.1" 404 209
> 217.79.182.245 - - [16/Nov/2009:18:57:03 -0600] "GET /README HTTP/1.1"
> 404 204
> 61.160.216.63 - - [16/Nov/2009:22:09:02 -0600] "GEThttp://www.wantsfly.com/prx2.php?hash=9CDF3AE8476B0849433C7012005099A...
> HTTP/1.0" 404 206
> 122.227.164.96 - - [16/Nov/2009:23:31:03 -0600] "GEThttp://proxyjudge1.proxyfire.net/fastenvHTTP/1.1" 404 205
> HTTP/1.0" 404 206
>
> Do a bing run on the 194.102.94.245 IP address which you supplied and
> you will see that it
>
> - Show quoted text -
Doing it this way will stop this:
Next add this to the httpd.conf file:
Order allow,deny
Allow from[use here the client that you want to access the htdocs
folder]
[Tue Nov 17 08:40:26 2009] [error] [client 61.160.216.63] client
denied by server
configuration: C:/Program Files/Apache Software Foundation/Apache2.2/
htdocs/prx2.php
61.160.216.63 - - [17/Nov/2009:08:40:26 -0600] "GET
http://www.wantsfly.com/prx2.php?hash=9CDF3AE8476B0849433C7012005099A52FA2F341AC6D
HTTP/1.0"
403 210
I had deleted the other logs while and once I had finished this it
worked to stop the scan of the clients that was hitting the server.