Mailinglist Archive: opensuse (882 mails)

< Previous Next >
[opensuse] Odd activity on my webserver
  • From: C <smaug42@xxxxxxxxx>
  • Date: Sat, 11 Dec 2010 10:07:47 +0100
  • Message-id: <AANLkTim4PfLD8pGnMcPijnaz0ntK0ZpH4P97snjg3u07@xxxxxxxxxxxxxx>
I'm running an http server with two private-ish domains. The content
is nothing really... more or less there for my convenience... one
domain is just a single http landing page (a place holder) with a link
to another passworded page which has a few multimedia files of no real
interest to anyone but me (you need a valid username/password to get
to this page), the other is a copy of an old travel photo site I used
to have (just a couple dozen photos in a JAlbum). I've set robots.txt
to disallow any search indexing, and the major search engines respect
that - good enough for me anyway. The domains are tied to a DynDNS
subscription so that when my ISP changes my IP address, the domains
remain in sync.

Today I noticed an unusual level of activity on my NIC.... generally,
if I'm not doing anything, my NIC activity is zero. Instead today I'm
seeing at least 26kbps up and down... OK, not a lot, but that's more
than the usual zero, and it was a constant 1-1 on the up/down speed
ratio... quite unusual to me. Etherape showed me two IPs that were
very very active on my system. The apache logs show very little....

The last few lines of the error log are:
------------------------
[Fri Dec 10 18:51:05 2010] [error] [client 213.226.63.196] Invalid
method in request
?\xde\xfa+\x94\xaf\x15\xf9\xe2X\x02\xa6\x0fHdL\xdb\x9e\x0e4\xb8\xc5\xb7\x823!!d\x8d^@\xef\xe3\xc5+HG\xb2\x1d\xfdc"\x1fI\xcf]\xe3\x8a\xc3n\x86\xa6\x15d\xfe\xb0
[Sat Dec 11 03:37:15 2010] [error] [client 208.80.194.32] request
failed: error reading the headers
[Sat Dec 11 03:48:22 2010] [error] [client 76.234.23.152] Invalid
method in request
B\xac\xcdb\xee\x8aC^4\xad\xd6\xf7\x17$\x04b\xd2\xd0\x13
[Sat Dec 11 09:25:51 2010] [error] [client 119.133.224.149] Invalid
method in request
\xb0\x84\xb1\x82v\x1c#%:\xd3\xf5@\xd0=\x04\x94\x12\x8b\xfd\x1e8\xda\x13\xa6o


The last few lines of the access log are:
------------------------
193.47.80.37 - - [11/Dec/2010:02:26:40 +0100] "GET /robots.txt
HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Exabot/3.0;
+http://www.exabot.com/go/robot)"
193.47.80.37 - - [11/Dec/2010:02:26:40 +0100] "GET /menu.html
HTTP/1.1" 304 - "-" "Mozilla/5.0 (compatible; Exabot/3.0;
+http://www.exabot.com/go/robot)"
208.80.194.32 - - [11/Dec/2010:03:37:15 +0100] "GET / HTTP/1.0" 400 5599 "-" "-"
76.234.23.152 - - [11/Dec/2010:03:48:22 +0100]
"B\xac\xcdb\xee\x8aC^4\xad\xd6\xf7\x17$\x04b\xd2\xd0\x13" 501 976 "-"
"-"
69.21.90.58 - - [11/Dec/2010:03:49:07 +0100]
"\xc2I\xd74~h\xc2\x99Kn\xcf/\xeb\xe1`~\x89\x19\xba\x01H\xa3f\xb4\xc9\b"
501 976 "-" "-"
207.46.204.184 - - [11/Dec/2010:05:27:28 +0100] "GET /robots.txt
HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
+http://www.bing.com/bingbot.htm)"
207.46.204.184 - - [11/Dec/2010:05:34:41 +0100] "GET / HTTP/1.1" 304 -
"-" "Mozilla/5.0 (compatible; bingbot/2.0;
+http://www.bing.com/bingbot.htm)"
67.207.96.194 - - [11/Dec/2010:06:38:08 +0100] "{\xec/Qo/" 501 976 "-" "-"
66.249.85.2 - - [11/Dec/2010:07:17:04 +0100] "GET / HTTP/1.1" 200 812
"-" "Feedfetcher-Google; (+http://www.google.com/feedfetcher.html;
feed-id=6557159989255775444)"
119.133.224.149 - - [11/Dec/2010:09:25:51 +0100]
"\xb0\x84\xb1\x82v\x1c#%:\xd3\xf5@\xd0=\x04\x94\x12\x8b\xfd\x1e8\xda\x13\xa6o"
501 976 "-" "-"


The bot activity is known, and normal... and I don't see anything that
really indicates anyone accessing my passworded directory (when
someone, myself or my brother, logs into the secure area it's recorded
in the access log, and I also see/log what is downloaded/accessed),
nor any other "real" activity. The strange character strings seem to
be... I don't know... someone probing for a security hole in apache?
I am not sure since the string means nothing to me and a Google search
on it returns nothing useful. It appears though that they never got
very far.... I think... maybe...

I stopped my apache server and disabled the secure area, and
immediately the NIC activity dropped to zero. I've since restarted
apache (without the secure area enabled), and the NIC activity hasn't
picked up again.

I've seen this activity a few times recently... noticeable activity on
my network tied to apache, but no traces (that I can see) of what is
actually going on.

Does anyone have any idea what this might be? Am I being paranoid? or
could there be something more to this? Is there somewhere else I
should be looking to figure out what's going on?

C.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups