Re: [SLE] suspicious log lines

Well my server will be public after I setup DNS and email account for my users... It is a small server for web page and email accounts. I would decide to put it in DMZ, since I'm running DNS aswell, but then again I have also mail server and users mailbox on that machine... I guess transfering mailboxes to another machine inside LAN would do it! Securita! Thank you for your replys, :) regards ,himba Dne petek 23. maja 2003 00:14 je Togan Muftuoglu napisal(a):

* himbA; on 23 May, 2003 wrote:

...

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000% u00=a HTTP/1.0" 404 281

207.33.111.37 - - [14/May/2003:14:03:55 +0200] "HEAD /cgi-bin/ws_ftp.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /cgi-bin/WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/ax-admin.cgi HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/axs.cgi HTTP/1.0" 404 0 2

Are these possible intruder attacks ?

They are most probably some script kiddie playing around looking for any vulnerabilities they may have find. The reality is when you have a webserver publicly available then these logs will come someday

have a look at http://susefaq.sourceforge.net/apachequestions.html

If you have real concern then consider placing your server in a DMZ and run it chrooted ( not that it gives 100 % guarantee yet makes you feel safer )

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- This mail was Kmailed.