On 11/01/2011 04:06 PM, Alex wrote: > Hi, > > I thought someone might be familiar with apache and expected behavior > to know whether the access_log entries below are attack attempts, or > something less alarming. I'm seeing repeated entries like these from a > handful of IP addresses at a time, all with 404 errors using "POST > /index.php": > > 222.186.24.108 - - [01/Nov/2011:16:56:29 -0400] "POST /index.php > HTTP/1.1" 404 7168 "http://www.example.com/index.php"; "Mozilla/5.0 > (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 31508 7609 > 222.186.24.108 - - [01/Nov/2011:16:56:46 -0400] "POST /index.php > HTTP/1.1" 404 7169 "http://www.example.com/index.php"; "Mozilla/5.0 > (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 85912 7610 > > Is this a known exploit attempt? The server has been responding > slowly, and I believe this is partly the cause. > > How can I troubleshoot this further? > > Thanks, > Alex I've installed OSSEC and set a rule that drops an IP address for 30 minutes after 10 404s in a reasonably short time. -- -- Steve -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
