possible cracking attempt

Sean Malloy Sun, 01 Apr 2007 14:36:26 -0700

I just installed OpenBSD on my server in early March 2007. I am
running an Apache web server out of my house. I am tracking 4.0 STABLE
which I updated the day after the latest security advisory. I recently
noticed some peculiar entries in my Apache error and access logs.

From /var/www/logs/error_log:


[Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does
not exist: /htdocs/Provy_OK.html
[Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/thisdoesnotexistahaha.php
[Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/cmd.php
[Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/Cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/portal/cacti/cmd.php
[Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/portal/cmd.php
[Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does
not exist: /htdocs/stats/cmd.php
[Sun Apr  1 00:11:32 2007] [error] [client 212.31.237.145] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)

From /var/www/logs/access_log:


211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET
http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html
HTTP/1.1"
404 219 "-" "-"
195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET
/thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Win
dows 98)"
195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /cmd.php
HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /Cacti/cmd.php
HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /cacti/cmd.php
HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET
/portal/cacti/cmd.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows
98)"
195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /portal/cmd.php
HTTP/1.1" 404 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] "GET /stats/cmd.php
HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] "GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-"

Relevant sections from /var/log/pflog:

Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0:
211.100.33.61.18484 > 192.168.1.200.80: S 948480759:948480759(0) win
5840 <mss 1460> (DF)
Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0:
211.100.33.61.19843 > 192.168.1.200.80: S 948885882:948885882(0) win
5840 <mss 1460> (DF)
Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0:
211.100.33.61.18484 > 192.168.1.200.80: F 1995884956:1995884956(0) ack
3143126464 win 5840 (DF)
Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.18484: . ack 3247563101 win 17520
(DF)
Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack
3247563101 win 17520 (DF)
Mar 31 07:35:07.007274 rule 7/(match) pass in on sk0:
211.100.33.61.19843 > 192.168.1.200.80: P 313976237:313976414(177) ack
2599760395 win 5840 (DF)
Mar 31 07:35:07.007551 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.19843: P 1628794193:1628794608(415)
ack 634909823 win 17520 (DF)
Mar 31 07:35:07.011766 rule 7/(match) pass in on sk0:
211.100.33.61.18484 > 192.168.1.200.80: . ack 2 win 5840 (DF)
Mar 31 07:35:07.012564 rule 7/(match) pass in on sk0:
211.100.33.61.18484 > 192.168.1.200.80: . ack 2 win 5840 (DF)
Mar 31 07:35:07.012577 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.18484: R 882791806:882791806(0) win 0
(DF)
Mar 31 07:35:07.530603 rule 7/(match) pass in on sk0:
211.100.33.61.19843 > 192.168.1.200.80: . ack 416 win 6432 (DF)
Mar 31 07:35:07.531301 rule 7/(match) pass in on sk0:
211.100.33.61.19843 > 192.168.1.200.80: F 177:177(0) ack 416 win 6432
(DF)
Mar 31 07:35:07.531314 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.19843: . ack 634909824 win 17520 (DF)
Mar 31 07:35:07.531349 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 211.100.33.61.19843: F 1628794608:1628794608(0) ack
634909824 win 17520 (DF)
Mar 31 07:35:08.026078 rule 7/(match) pass in on sk0:
211.100.33.61.19843 > 192.168.1.200.80: . ack 417 win 6432 (DF)

Mar 31 07:40:20.734863 rule 7/(match) pass in on sk0:
195.242.236.131.50589 > 192.168.1.200.80: S 659790987:659790987(0) win
5840 <mss 1460,sackOK,timestamp 136657612[|tcp]> (DF)
Mar 31 07:40:20.997669 rule 7/(match) pass in on sk0:
195.242.236.131.50589 > 192.168.1.200.80: P 2993725956:2993726166(210)
ack 3385222108 win 5840 (DF)
Mar 31 07:40:20.997846 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50589: P 2654253311:2654253757(446)
ack 1961032538 win 17520 (DF)
Mar 31 07:40:20.997935 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50589: F 2654253757:2654253757(0)
ack 1961032538 win 17520 (DF)
Mar 31 07:40:21.125280 rule 7/(match) pass in on sk0:
195.242.236.131.50589 > 192.168.1.200.80: . ack 1 win 5840 (DF)
Mar 31 07:40:21.125978 rule 7/(match) pass in on sk0:
195.242.236.131.50589 > 192.168.1.200.80: . ack 448 win 6432 (DF)
Mar 31 07:40:21.127378 rule 7/(match) pass in on sk0:
195.242.236.131.50737 > 192.168.1.200.80: S 664746290:664746290(0) win
5840 <mss 1460,sackOK,timestamp 136658004[|tcp]> (DF)
Mar 31 07:40:21.391191 rule 7/(match) pass in on sk0:
195.242.236.131.50737 > 192.168.1.200.80: P 2113571543:2113571735(192)
ack 3113356922 win 5840 (DF)
Mar 31 07:40:21.391317 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50737: P 3817201007:3817201435(428)
ack 2846142236 win 17520 (DF)
Mar 31 07:40:21.391362 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50737: F 3817201435:3817201435(0)
ack 2846142236 win 17520 (DF)
Mar 31 07:40:21.517504 rule 7/(match) pass in on sk0:
195.242.236.131.50737 > 192.168.1.200.80: . ack 429 win 6432 (DF)
Mar 31 07:40:21.522697 rule 7/(match) pass in on sk0:
195.242.236.131.50887 > 192.168.1.200.80: S 664510979:664510979(0) win
5840 <mss 1460,sackOK,timestamp 136658400[|tcp]> (DF)
Mar 31 07:40:21.561540 rule 7/(match) pass in on sk0:
195.242.236.131.50737 > 192.168.1.200.80: . ack 430 win 6432 (DF)
Mar 31 07:40:21.775142 rule 7/(match) pass in on sk0:
195.242.236.131.50887 > 192.168.1.200.80: P 2492437794:2492437992(198)
ack 3989251632 win 5840 (DF)
Mar 31 07:40:21.775410 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50887: P 82340975:82341409(434) ack
2467040680 win 17520 (DF)
Mar 31 07:40:21.775464 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50887: F 82341409:82341409(0) ack
2467040680 win 17520 (DF)
Mar 31 07:40:21.903539 rule 7/(match) pass in on sk0:
195.242.236.131.50887 > 192.168.1.200.80: . ack 435 win 6432 (DF)
Mar 31 07:40:21.904946 rule 7/(match) pass in on sk0:
195.242.236.131.51029 > 192.168.1.200.80: S 660745831:660745831(0) win
5840 <mss 1460,sackOK,timestamp 136658782[|tcp]> (DF)
Mar 31 07:40:21.943478 rule 7/(match) pass in on sk0:
195.242.236.131.50887 > 192.168.1.200.80: . ack 436 win 6432 (DF)
Mar 31 07:40:22.160961 rule 7/(match) pass in on sk0:
195.242.236.131.51029 > 192.168.1.200.80: P 988101772:988101970(198)
ack 2152098786 win 5840 (DF)
Mar 31 07:40:22.161094 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51029: P 3392744663:3392745097(434)
ack 3967611554 win 17520 (DF)
Mar 31 07:40:22.161128 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51029: F 3392745097:3392745097(0)
ack 3967611554 win 17520 (DF)
Mar 31 07:40:22.295862 rule 7/(match) pass in on sk0:
195.242.236.131.51181 > 192.168.1.200.80: S 664937349:664937349(0) win
5840 <mss 1460,sackOK,timestamp 136659174[|tcp]> (DF)
Mar 31 07:40:22.296660 rule 7/(match) pass in on sk0:
195.242.236.131.51029 > 192.168.1.200.80: . ack 435 win 6432 (DF)
Mar 31 07:40:22.335204 rule 7/(match) pass in on sk0:
195.242.236.131.51029 > 192.168.1.200.80: . ack 436 win 6432 (DF)
Mar 31 07:40:22.552287 rule 7/(match) pass in on sk0:
195.242.236.131.51181 > 192.168.1.200.80: P 3218527165:3218527370(205)
ack 2376355564 win 5840 (DF)
Mar 31 07:40:22.552426 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51181: P 1533854277:1533854718(441)
ack 1741377686 win 17520 (DF)
Mar 31 07:40:22.552460 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51181: F 1533854718:1533854718(0)
ack 1741377686 win 17520 (DF)
Mar 31 07:40:22.679199 rule 7/(match) pass in on sk0:
195.242.236.131.51181 > 192.168.1.200.80: . ack 442 win 6432 (DF)
Mar 31 07:40:22.684092 rule 7/(match) pass in on sk0:
195.242.236.131.51341 > 192.168.1.200.80: S 666545637:666545637(0) win
5840 <mss 1460,sackOK,timestamp 136659562[|tcp]> (DF)
Mar 31 07:40:22.723258 rule 7/(match) pass in on sk0:
195.242.236.131.51181 > 192.168.1.200.80: . ack 443 win 6432 (DF)
Mar 31 07:40:22.944213 rule 7/(match) pass in on sk0:
195.242.236.131.51341 > 192.168.1.200.80: P 928207736:928207935(199)
ack 2939567050 win 5840 (DF)
Mar 31 07:40:22.944478 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51341: P 3342958302:3342958737(435)
ack 4033305397 win 17520 (DF)
Mar 31 07:40:22.944529 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51341: F 3342958737:3342958737(0)
ack 4033305397 win 17520 (DF)
Mar 31 07:40:23.077616 rule 7/(match) pass in on sk0:
195.242.236.131.51341 > 192.168.1.200.80: . ack 436 win 6432 (DF)
Mar 31 07:40:23.079021 rule 7/(match) pass in on sk0:
195.242.236.131.51484 > 192.168.1.200.80: S 668013181:668013181(0) win
5840 <mss 1460,sackOK,timestamp 136659956[|tcp]> (DF)
Mar 31 07:40:23.116758 rule 7/(match) pass in on sk0:
195.242.236.131.51341 > 192.168.1.200.80: . ack 437 win 6432 (DF)
Mar 31 07:40:23.331750 rule 7/(match) pass in on sk0:
195.242.236.131.51484 > 192.168.1.200.80: P 646327856:646328054(198)
ack 3743701177 win 5840 (DF)
Mar 31 07:40:23.332306 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51484: P 1661774774:1661775208(434)
ack 21685524 win 17520 (DF)
Mar 31 07:40:23.332376 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51484: F 1661775208:1661775208(0)
ack 21685524 win 17520 (DF)
Mar 31 07:40:23.458560 rule 7/(match) pass in on sk0:
195.242.236.131.51484 > 192.168.1.200.80: . ack 435 win 6432 (DF)
Mar 31 07:40:23.464347 rule 7/(match) pass in on sk0:
195.242.236.131.51341 > 192.168.1.200.80: F 199:199(0) ack 437 win
6432 (DF)
Mar 31 07:40:23.464375 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51341: . ack 4033305398 win 17520
(DF)
Mar 31 07:40:23.465247 rule 7/(match) pass in on sk0:
195.242.236.131.51181 > 192.168.1.200.80: F 205:205(0) ack 443 win
6432 (DF)
Mar 31 07:40:23.465270 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51181: . ack 1741377687 win 17520
(DF)
Mar 31 07:40:23.465546 rule 7/(match) pass in on sk0:
195.242.236.131.51484 > 192.168.1.200.80: F 198:198(0) ack 436 win
6432 (DF)
Mar 31 07:40:23.465568 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51484: . ack 21685525 win 17520
(DF)
Mar 31 07:40:23.465845 rule 7/(match) pass in on sk0:
195.242.236.131.50589 > 192.168.1.200.80: F 210:210(0) ack 448 win
6432 (DF)
Mar 31 07:40:23.465876 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50589: . ack 1961032539 win 17520
(DF)
Mar 31 07:40:23.466144 rule 7/(match) pass in on sk0:
195.242.236.131.50887 > 192.168.1.200.80: F 198:198(0) ack 436 win
6432 (DF)
Mar 31 07:40:23.466168 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50887: . ack 2467040681 win 17520
(DF)
Mar 31 07:40:23.466445 rule 7/(match) pass in on sk0:
195.242.236.131.50737 > 192.168.1.200.80: F 192:192(0) ack 430 win
6432 (DF)
Mar 31 07:40:23.466467 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.50737: . ack 2846142237 win 17520
(DF)
Mar 31 07:40:23.466744 rule 7/(match) pass in on sk0:
195.242.236.131.51029 > 192.168.1.200.80: F 198:198(0) ack 436 win
6432 (DF)
Mar 31 07:40:23.466767 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 195.242.236.131.51029: . ack 3967611555 win 17520
(DF)

Apr 01 00:11:32.047573 rule 7/(match) pass in on sk0:
212.31.237.145.4688 > 192.168.1.200.80: S 647726682:647726682(0) win
64512 <mss 1260,nop,nop,sackOK> (DF)
Apr 01 00:11:32.314156 rule 7/(match) pass in on sk0:
212.31.237.145.4688 > 192.168.1.200.80: P 3890426427:3890426473(46)
ack 2587319106 win 64512 (DF)
Apr 01 00:11:32.314319 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 212.31.237.145.4688: P 2148181408:2148181960(552)
ack 1052267598 win 17640 (DF)
Apr 01 00:11:32.314371 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 212.31.237.145.4688: F 2148181960:2148181960(0) ack
1052267598 win 17640 (DF)
Apr 01 00:11:32.450753 rule 7/(match) pass in on sk0:
212.31.237.145.4688 > 192.168.1.200.80: . ack 1 win 64512 (DF)
Apr 01 00:11:32.453148 rule 7/(match) pass in on sk0:
212.31.237.145.4688 > 192.168.1.200.80: R 46:46(0) ack 554 win 0 (DF)
Apr 01 00:11:32.453847 rule 7/(match) pass in on sk0:
212.31.237.145.4688 > 192.168.1.200.80: . ack 554 win 63960 (DF)
Apr 01 00:11:32.453860 rule 7/(match) pass out on sk0:
192.168.1.200.80 > 212.31.237.145.4688: R 440533770:440533770(0) win 0
(DF)

I have not noticed any weirdness in any other logs files. What can I
do to stop this from happening? Thanks in advance.

--
Sean Malloy
Registered GNU/Linux User #417855
Happy Hacking! ;-)
www.catgrepsort.com

possible cracking attempt

Reply via email to