Unfortunately what you are seeing is business as usual on the web these days. There are scripts running everywhere to try to break into computers and own them by using pretty much every web server vulnerability ever known. Just be sure that everything on your machine is turned off if it need not be on, and if ssh is open to the world, move it to a different port to stop the dictionary scans.
W AM wrote: > Hello, > I have my centos 4.2 toaster in production for about 300 user's. > Everything seems to be working fine except, when I tail my httpd > access_log. I see thousands(per day) of bots and third party rejects > getting 404 errors. > When crond sends me my morning report its in MB's and growing. > We start with failed attempts to connect to mod_proxy > small example: > 172.179.95.251 -> steganos.asknet.de:443 : 2 Time(s) > 172.180.18.216 -> steganos.asknet.de:443 : 4 Time(s) > 172.181.3.40 -> steganos.asknet.de:443 : 2 Time(s) > 172.183.66.100 -> steganos.asknet.de:443 : 4 Time(s) > 172.186.0.222 -> steganos.asknet.de:443 : 4 Time(s) > 172.211.123.88 -> steganos.asknet.de:443 : 4 Time(s) > then the other attemps are logged... today we logged over 3300 attemps > another micro snippet: > GET > http://202.43.219.19/config/login?.patner=sbc&login=drichmond&passwd=duke&.save=1 > HTTP/1.0 with response code(s) 2 404 responses > GET > http://209.73.177.65/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=lover_boy_99_ca&passwd=lisa > HTTP/1.0 with response code(s) 2 404 responses > GET > http://us.a1.yimg.com/login.india.yahoo.com/config/login?login=iceman_____98_1&passwd=yahoo > HTTP/1.0 with response code(s) 2 404 responses > GET > http://us.geo1.yimg.com/login.yahoo.com/config/login?login=kelsey___15&passwd=yahoo > HTTP/1.0 with response code(s) 2 404 responses > GET > http://217.12.4.64/config?&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=Polykirl&passwd=pooh > HTTP/1.0 with response code(s) 2 404 responses > GET http://techslave.com/index.php/TechSlave_Security_News?disp=stats > HTTP/1.1 with response code(s) 2 404 responses > ######################################################### > So I made sure that mod_proxy is commented out in the httpd.conf file and > httpd is re started. Still my logs grow > At one point I have seen the GET turn to WGET which seems like a dangerous > call comming from the outside world. > > Can someone explain to me what is happening and or how to protect myself. > I feel like fowarding all my user's and everybody else to /dev/null and > getting off the grid ! > > > --------------------------------------------------------------------- > QmailToaster hosted by: VR Hosted <http://www.vr.org> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
