Hi Theresa, my guess is that you are probably victim of web crawlers more than anything else. In any case it would be interesting to search those source IPs info in IP reputation databases to see if those are well known attackers.
Has anyone in this list use an IP reputation database in a CDB list? I would probably try something like that and see how it goes. Best On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare <[email protected]> wrote: > hi folks, > > i need some help with intepreting webserver logfiles (apache logs). > while setting up my ossec-test environment for my thesis project, I've > also setup a wordpress on an apache webserver as a "honeypot". although > there's no real content, except the standard wordpress posts & pages that > comes with the installation, I already have some "visitors". I see these > dubious looking requests. I'm not sure if these are threats/attacks against > my wordpress installation. > I'm not really familiar with apache logs, but I need some threats/attacks > to explain in my thesis. I thought this would be the best way to get > started. > > I have PLENTY of the following requests in my httpd logs > > Src IP: 115.239.228.8 > 115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] "GET > http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972 > HTTP/1.1" 404 292 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; > Trident/5.0; 360SE)" > > > Judging by the HTTP status code it's not really a threat, right? it's > probaly just some hacker with a tool who's looking for vulnerabilities? or > is this just nonsense/junk? > > Received From: tron->/var/log/httpd/access_log > Rule: 31515 fired (level 6) -> "PHPMyAdmin scans (looking for setup.php)." > Portion of the log(s): > > 178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] "GET > /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 309 "-" "-" > > also this > Received From: tron->/var/log/httpd/access_log > Rule: 31101 fired (level 5) -> "Web server 400 error code." > Portion of the log(s): > > 202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] "HEAD > /ossec-wui/index.php HTTP/1.1" 401 - "-" "-" > > i'm surprised they found out about it.....glad i protected it with > htaccess and they didn't come in. ;) > > and lots of other requests that return HTTP 403 (forbidden) or 404 (not > found) > > i'm not quite sure what to make of it. > i didn't realise my server was so exposed....did they just find the IP by > scanning for http ports?! > > looking to some feedback, > theresa > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
