Re: Interpreting logwatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> 
> Every few days I see in the logwatch on my Centos-5.5 web-server what
seems
> like a rather feeble break-in attempt.
> Eg today I see
> ---------------------------
>     403 Forbidden
>        /phpMyAdmin/scripts/setup.php: 2 Time(s)
>        /phpmyadmin/scripts/setup.php: 2 Time(s)
>     404 Not Found
>        /PMA2005/scripts/setup.php: 1 Time(s)
>        /TRAD_files/datestamp.js: 1 Time(s) ...
> ---------------------------
> followed by dozens of similar lines.
> 
> As far as I can see, the IP of the person making the attempt (if there was
> an attempt) is not given.
> 
> I'm not at all sure what if anything I should do about this.
> 

Logwatch is just an automated tool that runs a few checks on your log files.
The source IP is in your apache log files.

If you are concerned, you should check your log files to check for that IP
and then run a check on whether that IP appears elsewhere in any of your
logfiles.

The likelihood is that someone ran a vulnerability scanner against all your
available services, logwatch found evidence of that vulnerability scan, and
you should check whether any other vulnerabilities were scanned for and
perhaps found...

To do that you should manually check your log files or use a better tool.



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux