On Wed, Apr 16, 2014 at 8:09 AM, Joydeep Bakshi
<joydeep.bakshi@xxxxxxxxxxxxxx> wrote:
>
>
>
> Dear list,
>
> I have found a strange issue in a newly configured opensuse 13.1 server.
> This is a dedicated root server where ssh is running on different port than
> default and ssh root login is disabled.
>
> I have configured apache and also few vhosts which are running well. I have
> also installed varnish for caching. All are running without any issue.
> Suddenly I find from apache access.log that some unknown sites are hosted
> from this server.
>
> tv-house.ru , world-hdtv.ru ... etc.... I am clue less.
> I have stopped apache still those sites are active, uninstall varnish,
> shutdown the server, still those sites are active.
>
> After rebooting the server and activating apache , again the apache log
> shows; request to those domain actually coming to this server. I blocked the
> domain through iptables. Now the access log shows a lot of 408
>
> 147.45.64.140 - - [16/Apr/2014:11:26:44 +0200] "-" 408 - "-" "-"
> 176.8.100.50 - - [16/Apr/2014:11:26:59 +0200] "GET
> /tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4%FD%5D%AD%D5%5B%E9
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
> 217.118.78.101 - - [16/Apr/2014:11:27:09 +0200] "-" 408 - "-" "-"
> 178.67.223.237 - - [16/Apr/2014:11:27:25 +0200] "GET
> /tracker/scrape?info_hash=%A78V98%CD%27%14%A9%5C%29U%9F%D6%04t%2F%80gX
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
> 194.107.23.1 - - [16/Apr/2014:11:27:28 +0200] "-" 408 - "-" "-"
> 178.89.208.29 - - [16/Apr/2014:11:27:31 +0200] "GET
> /tracker/scrape?info_hash=%E5%D0%15%7E%1D%C5%29%1B%BB%E8%C1M%B6%1E%ACA0%9D8%81
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_25"
> 83.146.115.146 - - [16/Apr/2014:11:27:33 +0200] "GET
> /tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4%FD%5D%AD%D5%5B%E9
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_31"
> 147.45.64.140 - - [16/Apr/2014:11:27:36 +0200] "-" 408 - "-" "-"
> 213.87.137.123 - - [16/Apr/2014:11:27:57 +0200] "-" 408 - "-" "-"
> 178.161.132.98 - - [16/Apr/2014:11:28:20 +0200] "-" 408 - "-" "-"
> 80.80.205.109 - - [16/Apr/2014:11:28:30 +0200] "GET
> /tracker/scrape?info_hash=%B6%0Dg%EC%24%0Frw%8A%0D%ADo%D1%86Z%C4J%0A%1D%7C
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_30"
> 178.123.206.189 - - [16/Apr/2014:11:28:53 +0200] "GET
> /tracker/scrape?info_hash=%7F%98%05%BA%40%DB%ADo%1E%DD%D1%0BSL%0C%16%9DT%0D%BE
> HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
>
> Could any any familiar with this behaviour ? Any fix to this strange issue ?
>
Not seeing entries for the sites you mentioned in your log, but
treat your server as if it has been compromised. And they might be
running a web scraper.
FYI, while you do want to avoid being able to ssh as root, that is not
the only way to break into a web server. Consider the websites being
hosted as not as secure as they should.
> Thanks
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|