On 06:59, Norman Khine wrote:
i get these in my # tail -f /var/log/apache2/error_log [Tue Aug 17 15:13:00 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8o configured -- resuming normal operations [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/test_500k.bin [Tue Aug 17 15:14:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980 [Tue Aug 17 15:16:26 2010] [error] [client 89.19.18.114] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/test_500k.bin [Tue Aug 17 15:17:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980 [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f [Tue Aug 17 15:19:20 2010] [error] [client 79.233.232.211] File does not exist: /var/www/localhost/htdocs/101f39bf5983c67258518552c0d8d50f [Tue Aug 17 15:20:30 2010] [error] [client 203.127.11.214] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.test0:) [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/test_500k.bin [Tue Aug 17 15:20:56 2010] [error] [client 188.165.201.59] File does not exist: /var/www/localhost/htdocs/2816eca5251644b60664d581cb953980 from the IP addresses i see they originate from turkey, singapore and from users from within ovh.com this is my host. does this mean that my server is being probed? thanks
Hi Norman,Yes, the w00tw00t is a good sign of probing. It is one of many that you will get to know (but probably not love!) if you watch your logs. They are looking for ways to compromise your server for whatever nefarious purposes. I suggest you implement a default name virtual host that rejects all requests. That will at least stop those that are just scanning IP addresses looking for responses on port 80. (No prober has yet found my server by name, though about 60% of my total traffic is IP-addressed probes.)
Regards, Peter --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|