I'm running an http server with two private-ish domains. The content is nothing really... more or less there for my convenience... one domain is just a single http landing page (a place holder) with a link to another passworded page which has a few multimedia files of no real interest to anyone but me (you need a valid username/password to get to this page), the other is a copy of an old travel photo site I used to have (just a couple dozen photos in a JAlbum). I've set robots.txt to disallow any search indexing, and the major search engines respect that - good enough for me anyway. The domains are tied to a DynDNS subscription so that when my ISP changes my IP address, the domains remain in sync. Today I noticed an unusual level of activity on my NIC.... generally, if I'm not doing anything, my NIC activity is zero. Instead today I'm seeing at least 26kbps up and down... OK, not a lot, but that's more than the usual zero, and it was a constant 1-1 on the up/down speed ratio... quite unusual to me. Etherape showed me two IPs that were very very active on my system. The apache logs show very little.... The last few lines of the error log are: ------------------------ [Fri Dec 10 18:51:05 2010] [error] [client 213.226.63.196] Invalid method in request ?\xde\xfa+\x94\xaf\x15\xf9\xe2X\x02\xa6\x0fHdL\xdb\x9e\x0e4\xb8\xc5\xb7\x823!!d\x8d^@\xef\xe3\xc5+HG\xb2\x1d\xfdc"\x1fI\xcf]\xe3\x8a\xc3n\x86\xa6\x15d\xfe\xb0 [Sat Dec 11 03:37:15 2010] [error] [client 208.80.194.32] request failed: error reading the headers [Sat Dec 11 03:48:22 2010] [error] [client 76.234.23.152] Invalid method in request B\xac\xcdb\xee\x8aC^4\xad\xd6\xf7\x17$\x04b\xd2\xd0\x13 [Sat Dec 11 09:25:51 2010] [error] [client 119.133.224.149] Invalid method in request \xb0\x84\xb1\x82v\x1c#%:\xd3\xf5@\xd0=\x04\x94\x12\x8b\xfd\x1e8\xda\x13\xa6o The last few lines of the access log are: ------------------------ 193.47.80.37 - - [11/Dec/2010:02:26:40 +0100] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Exabot/3.0; +http://www.exabot.com/go/robot)" 193.47.80.37 - - [11/Dec/2010:02:26:40 +0100] "GET /menu.html HTTP/1.1" 304 - "-" "Mozilla/5.0 (compatible; Exabot/3.0; +http://www.exabot.com/go/robot)" 208.80.194.32 - - [11/Dec/2010:03:37:15 +0100] "GET / HTTP/1.0" 400 5599 "-" "-" 76.234.23.152 - - [11/Dec/2010:03:48:22 +0100] "B\xac\xcdb\xee\x8aC^4\xad\xd6\xf7\x17$\x04b\xd2\xd0\x13" 501 976 "-" "-" 69.21.90.58 - - [11/Dec/2010:03:49:07 +0100] "\xc2I\xd74~h\xc2\x99Kn\xcf/\xeb\xe1`~\x89\x19\xba\x01H\xa3f\xb4\xc9\b" 501 976 "-" "-" 207.46.204.184 - - [11/Dec/2010:05:27:28 +0100] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 207.46.204.184 - - [11/Dec/2010:05:34:41 +0100] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 67.207.96.194 - - [11/Dec/2010:06:38:08 +0100] "{\xec/Qo/" 501 976 "-" "-" 66.249.85.2 - - [11/Dec/2010:07:17:04 +0100] "GET / HTTP/1.1" 200 812 "-" "Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; feed-id=6557159989255775444)" 119.133.224.149 - - [11/Dec/2010:09:25:51 +0100] "\xb0\x84\xb1\x82v\x1c#%:\xd3\xf5@\xd0=\x04\x94\x12\x8b\xfd\x1e8\xda\x13\xa6o" 501 976 "-" "-" The bot activity is known, and normal... and I don't see anything that really indicates anyone accessing my passworded directory (when someone, myself or my brother, logs into the secure area it's recorded in the access log, and I also see/log what is downloaded/accessed), nor any other "real" activity. The strange character strings seem to be... I don't know... someone probing for a security hole in apache? I am not sure since the string means nothing to me and a Google search on it returns nothing useful. It appears though that they never got very far.... I think... maybe... I stopped my apache server and disabled the secure area, and immediately the NIC activity dropped to zero. I've since restarted apache (without the secure area enabled), and the NIC activity hasn't picked up again. I've seen this activity a few times recently... noticeable activity on my network tied to apache, but no traces (that I can see) of what is actually going on. Does anyone have any idea what this might be? Am I being paranoid? or could there be something more to this? Is there somewhere else I should be looking to figure out what's going on? C. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org