If your log rotate is running properly you should not have to worry about your
disk getting filled up as the logs will be removed after some time.
I guess you are running web server also on your machine or in your network.
Make sure that you have installed the latest version of the server with all
the security patches fixed.
Regards,
Dharmendra.T
Linux Security Expert
www.nsecure.net
dharmu@nsecure.net
On Tuesday 08 October 2002 17:45, Joaquin Durand Gomez wrote:
> Hello to everyone.
>
> This is my first post in this list and let me introduce myself.
> My name is Joaquin Durand. I've installed a PC with RedHat 7.2 in order
> to experiment and learn a little. I have little experience with unix
> systems.
>
> So far everything is OK with my RedHat server, I successfully installed
> IP Masquerade following the instructions in the "Linux IP Masquerade
> HOWTO" and I'm sharing my DSL with a Mac and a Windows PC.
>
> Since then, I'm getting constantly these in the messages log:
>
> Oct 7 20:59:16 Linolio kernel: IN=ppp0 OUT= MAC= SRC=64.172.120.252
> DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=50988 PROTO=UDP
> SPT=1025 DPT=137 LEN=58
> Oct 7 21:03:32 Linolio kernel: IN=ppp0 OUT= MAC= SRC=61.99.136.75
> DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=107 ID=63978 PROTO=UDP
> SPT=1027 DPT=137 LEN=58
> Oct 7 21:04:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.178.168.234
> DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=54964 PROTO=UDP
> SPT=1026 DPT=137 LEN=58
> Oct 7 21:05:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.221.225.151
> DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=6399 PROTO=UDP
> SPT=1026 DPT=137 LEN=58
> Oct 7 21:06:05 Linolio kernel: IN=ppp0 OUT= MAC= SRC=163.180.21.160
> DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=4819 PROTO=UDP
> SPT=1043 DPT=137 LEN=58
>
> Also I get these in Apache's access_log:
>
> 218.4.59.220 - - [06/Oct/2002:22:44:49 -0600] "GET
> /
> default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
> 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
> 78%u0000%u00=a HTTP/1.0" 400 352
> pd9ebef87.dip.t-dialin.net - - [07/Oct/2002:00:54:18 -0600] "HEAD /
> HTTP/1.0" 200 0
> ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:00 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 310
> ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:02 -0600] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 308
> ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:04 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318
>
> The origin IP changes all the time. I'm a little worried about the
> security of my server. It seems that somebody is trying to get access
> through the web server but using Windows commands :-D (hahaha)
> But my concern is about the messages log, I don't know how to interpret
> the log and I'm afraid that someone is trying to brake in.
>
> Could somebody guide me and tell me what to do in order to make sure my
> server is secure?
> Thank you very much.
>
> - Joaquin!
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
--
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
