Hi, The logs (Apache access logs) definetely indicate many exploits being tried on your system (ofcourse they may not be existing as in your case of cmd.exe, etc.,) The possible defense you can have against being exploited is firstly to make sure that there are no unwanted services running on our system and to have an IDS running in your network to detect these kinds of attacks. Regards, Mahadev T. --- "Dharmendra.T" <dharmu@nsecure.net> wrote: > > If your log rotate is running properly you should > not have to worry about your > disk getting filled up as the logs will be removed > after some time. > I guess you are running web server also on your > machine or in your network. > Make sure that you have installed the latest version > of the server with all > the security patches fixed. > Regards, > Dharmendra.T > Linux Security Expert > www.nsecure.net > dharmu@nsecure.net > > On Tuesday 08 October 2002 17:45, Joaquin Durand > Gomez wrote: > > Hello to everyone. > > > > This is my first post in this list and let me > introduce myself. > > My name is Joaquin Durand. I've installed a PC > with RedHat 7.2 in order > > to experiment and learn a little. I have little > experience with unix > > systems. > > > > So far everything is OK with my RedHat server, I > successfully installed > > IP Masquerade following the instructions in the > "Linux IP Masquerade > > HOWTO" and I'm sharing my DSL with a Mac and a > Windows PC. > > > > Since then, I'm getting constantly these in the > messages log: > > > > Oct 7 20:59:16 Linolio kernel: IN=ppp0 OUT= MAC= > SRC=64.172.120.252 > > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 > TTL=113 ID=50988 PROTO=UDP > > SPT=1025 DPT=137 LEN=58 > > Oct 7 21:03:32 Linolio kernel: IN=ppp0 OUT= MAC= > SRC=61.99.136.75 > > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 > TTL=107 ID=63978 PROTO=UDP > > SPT=1027 DPT=137 LEN=58 > > Oct 7 21:04:46 Linolio kernel: IN=ppp0 OUT= MAC= > SRC=210.178.168.234 > > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 > TTL=106 ID=54964 PROTO=UDP > > SPT=1026 DPT=137 LEN=58 > > Oct 7 21:05:46 Linolio kernel: IN=ppp0 OUT= MAC= > SRC=210.221.225.151 > > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 > TTL=111 ID=6399 PROTO=UDP > > SPT=1026 DPT=137 LEN=58 > > Oct 7 21:06:05 Linolio kernel: IN=ppp0 OUT= MAC= > SRC=163.180.21.160 > > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 > TTL=106 ID=4819 PROTO=UDP > > SPT=1043 DPT=137 LEN=58 > > > > Also I get these in Apache's access_log: > > > > 218.4.59.220 - - [06/Oct/2002:22:44:49 -0600] "GET > > / > > > default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > > NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 > > > 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 > > 78%u0000%u00=a HTTP/1.0" 400 352 > > pd9ebef87.dip.t-dialin.net - - > [07/Oct/2002:00:54:18 -0600] "HEAD / > > HTTP/1.0" 200 0 > > ixde7561-90.pool.007mundo.com - - > [07/Oct/2002:03:39:00 -0600] "GET > > /scripts/root.exe?/c+dir HTTP/1.0" 404 310 > > ixde7561-90.pool.007mundo.com - - > [07/Oct/2002:03:39:02 -0600] "GET > > /MSADC/root.exe?/c+dir HTTP/1.0" 404 308 > > ixde7561-90.pool.007mundo.com - - > [07/Oct/2002:03:39:04 -0600] "GET > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318 > > > > The origin IP changes all the time. I'm a little > worried about the > > security of my server. It seems that somebody is > trying to get access > > through the web server but using Windows commands > :-D (hahaha) > > But my concern is about the messages log, I don't > know how to interpret > > the log and I'm afraid that someone is trying to > brake in. > > > > Could somebody guide me and tell me what to do in > order to make sure my > > server is secure? > > Thank you very much. > > > > - Joaquin! > > > > > ----------------------- __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.