Hey All. I am trying to figure out the following log message that keeps showing up in my adm_access log file:
67.32.217.163 - - [09/Mar/2002:10:43:50 -0500] "GET /.cobalt/error/forbidden.html HTTP/1.0" 200 653 67.32.217.163 - - [09/Mar/2002:10:43:51 -0500] "GET /.cobalt/images/lock_warning HTTP/1.1" 200 1139 Lately I am getting them about one an hour, from a different IP address everytime, but only from 1 or 2 dial-up accounts, including Bell South (this one) and AOL. What I am trying to figure out is exactly what they are doing. I have "grep"'d every one of the log files in /var/log and /var/log/httpd with both the timeframe and the IP. Nothing shows up for that IP address, and nothing looks wierd. I also looked at the various admin logs and they look ok too. Tripwire reports nothing unusual (nor has it in the past), the box is fully patched (latest SSH too - thanks PKG masters), and I don't see any failed PAM or other login attempts. Nobody but me has shell access and few people access the box at all - all trusted. Oh - a RaQ4r. At first I was thought it might be a brute force on my admin area. But now I am getting the impression that this is just someone trying to hit a page in the secure area as there are no failed logins - perhaps trying one of those stupid "exploits" that were recently released? Script kiddies perhaps... Any thoughts would be greatly appreciated. Rick Ewart _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
