Re: [CentOS] What is someone trying to do?
On Sun, Jun 12, 2011 at 4:59 PM, R P Herrold herr...@owlriver.com wrote: This was covered by me in a blog post some time ago, as to my approach: http://orcorc.blogspot.com/2010/06/reading-logs-part-3-run-your-updates.html The rationale for having a redirect (offsite, back to the proper's localhost) is to quell noise from the probing, that would otherwise land in Logwatch reports I'm glad I asked, that's a nice technique. Also, the same probing scripts seem to wash around and after a while, one has most of them identified, and in the redirect file To get folks started, I've pushed my local packaging of rules 'outside' under a GPLv3+ license in SRPM form at: ftp://ftp.owlriver.com/pub/mirror/ORC/deepsix/ Thanks for the rpm. Cheers, Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On 06/11/2011 10:42 PM st...@echo.id.au wrote: On Sat, Jun 11, 2011 at 06:14:36PM -0700, Jason wrote: Hi All, My Logwatch was very long today with 404 requests to the Apache server. I dont understand what the person was trying to do by what they were attempting to access. Can anyone explain a method to their madness? The whole things seems weird... Taking one of the probed requests from your email, it turns up a hit for jQuery: /jquery-1.4.4.min.js So my guess is they're fuzzing/scanning for potential weaknesses in jQuery... For those managing web sites it would be good to acquire such scripts and run them in pre-production as system tests. So where do we get scripts such as the one run against Jason's site? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
So my guess is they're fuzzing/scanning for potential weaknesses in jQuery... For those managing web sites it would be good to acquire such scripts and run them in pre-production as system tests. So where do we get scripts such as the one run against Jason's site? I don't know if this is exactly what you're looking for, but you might check out Nikto http://cirt.net/Nikto2 Barry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On 06/12/2011 10:21 AM Barry Brimer wrote: So my guess is they're fuzzing/scanning for potential weaknesses in jQuery... For those managing web sites it would be good to acquire such scripts and run them in pre-production as system tests. So where do we get scripts such as the one run against Jason's site? I don't know if this is exactly what you're looking for, but you might check out Nikto http://cirt.net/Nikto2 Barry That's interesting and useful in its way. But I'd prefer to use the same scripts used by the actual crackers/bots. Not only would I be able to test my sites with them, but I'd be able to recognize the probes/attacks when they appear in logs as they did for Jason. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On Sun, Jun 12, 2011 at 1:49 PM, ken geb...@mousecar.com wrote: That's interesting and useful in its way. But I'd prefer to use the same scripts used by the actual crackers/bots. Not only would I be able to test my sites with them, but I'd be able to recognize the probes/attacks when they appear in logs as they did for Jason. There are many different scripts out there. I never bothered trying to find the scripts, just keep an eye on the web server logs, /var/log/secure and the syslog. When you see attempts to fetch things that are not installed on your system it is usually someone up to no good. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On Sun, Jun 12, 2011 at 1:49 PM, ken geb...@mousecar.com (mailto:geb...@mousecar.com) wrote: That's interesting and useful in its way. But I'd prefer to use the same scripts used by the actual crackers/bots. Not only would I be able to test my sites with them, but I'd be able to recognize the probes/attacks when they appear in logs as they did for Jason. There are many different scripts out there. I never bothered trying to find the scripts, just keep an eye on the web server logs, /var/log/secure and the syslog. When you see attempts to fetch things that are not installed on your system it is usually someone up to no good. Well, I was creating ReWrite rules and directing to 301 when something came in that was not on my system, but it does involve almost daily editing of the rules to keep up with the new invalid requests that I see everyday. -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On Sun, Jun 12, 2011 at 1:49 PM, ken geb...@mousecar.com (mailto:geb...@mousecar.com) wrote: That's interesting and useful in its way. But I'd prefer to use the same scripts used by the actual crackers/bots. Not only would I be able to test my sites with them, but I'd be able to recognize the probes/attacks when they appear in logs as they did for Jason. There are many different scripts out there. I never bothered trying to find the scripts, just keep an eye on the web server logs, /var/log/secure and the syslog. When you see attempts to fetch things that are not installed on your system it is usually someone up to no good. Well, I was creating ReWrite rules and directing to 301 when something came in that was not on my system, but it does involve almost daily editing of the rules to keep up with the new invalid requests that I see everyday. -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On Sun, Jun 12, 2011 at 3:19 PM, Jason slackmoehrle.li...@gmail.com wrote: When you see attempts to fetch things that are not installed on your system it is usually someone up to no good. Well, I was creating ReWrite rules and directing to 301 when something came in that was not on my system, but it does involve almost daily editing of the rules to keep up with the new invalid requests that I see everyday. -Jason Do you edit rewrite rules for every access that would otherwise be a 404 and change it to a 301? If so, what do you redirect them to, and why? Sounds like a lot of work. My experience has been that they tend to go away if they get 404 (not found) errors. I have noticed, though, that sometimes I seem to get hit with a similar pattern of requests from different IP addresses. Just guessing that multiple different people find the same script or list of stuff to feed a script, and independently try the same requests from different places. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] What is someone trying to do?
On Sun, 12 Jun 2011, Mike Williams wrote: Do you edit rewrite rules for every access that would otherwise be a 404 and change it to a 301? If so, what do you redirect them to, and why? Sounds like a lot of work. This was covered by me in a blog post some time ago, as to my approach: http://orcorc.blogspot.com/2010/06/reading-logs-part-3-run-your-updates.html The rationale for having a redirect (offsite, back to the proper's localhost) is to quell noise from the probing, that would otherwise land in Logwatch reports The effort for maintaining the rules is minor compared to that of wading through logwatch reports full of cruft, multiplied by however many webhosts one reads log files for. As I read a couple hundred logwatch reports each morning, a significant win for me ... Also, the same probing scripts seem to wash around and after a while, one has most of them identified, and in the redirect file To get folks started, I've pushed my local packaging of rules 'outside' under a GPLv3+ license in SRPM form at: ftp://ftp.owlriver.com/pub/mirror/ORC/deepsix/ -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
Russ, On Sun, 12 Jun 2011, Mike Williams wrote: Do you edit rewrite rules for every access that would otherwise be a 404 and change it to a 301? If so, what do you redirect them to, and why? Sounds like a lot of work. This was covered by me in a blog post some time ago, as to my approach: http://orcorc.blogspot.com/2010/06/reading-logs-part-3-run-your-updates.html I used the approach based upon your blog posts. To get folks started, I've pushed my local packaging of rules 'outside' under a GPLv3+ license in SRPM form at: ftp://ftp.owlriver.com/pub/mirror/ORC/deepsix/ Thanks, I will take a look and compare to what I am doing. Thanks for being so helpful. -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] What is someone trying to do?
Hi All, My Logwatch was very long today with 404 requests to the Apache server. I dont understand what the person was trying to do by what they were attempting to access. Can anyone explain a method to their madness? The whole things seems weird... Below -Jason -- Requests with error response codes 404 Not Found /!document.body: 1 Time(s) /.exec: 1 Time(s) /.google-analytics.com/ga.js (http://google-analytics.com/ga.js): 1 Time(s) /.player.play: 1 Time(s) /J.cur: 1 Time(s) /Math.pow: 1 Time(s) /VideoJS.isIE: 1 Time(s) /a: 2 Time(s) /apple-touch-icon-precomposed.png: 2 Time(s) /apple-touch-icon.png: 2 Time(s) /blue_bg.png: 1 Time(s) /event.type: 1 Time(s) /favicon.ico: 4 Time(s) /fn.call: 1 Time(s) /lib/flash/mediaroom/video/apple_history/t ... nerds_part1.mp4: 1 Time(s) /lib/flash/mediaroom/video/apple_history/w ... o_macintosh.mp4: 1 Time(s) /lib/js/!==location.host: 1 Time(s) /lib/js/!Fa.test: 1 Time(s) /lib/js/!b.orig: 1 Time(s) /lib/js/!c.data: 1 Time(s) /lib/js/!d.guid: 1 Time(s) /lib/js/!h.guid: 1 Time(s) /lib/js/!h.handler.guid: 1 Time(s) /lib/js/!ia.test: 1 Time(s) /lib/js/!s!x.test: 1 Time(s) /lib/js/!t.body: 1 Time(s) /lib/js/$.exec: 1 Time(s) /lib/js/%25d;c.data: 1 Time(s) /lib/js/!/!=/.test: 1 Time(s) /lib/js/!Ca.test: 1 Time(s) /lib/js/!F.call: 1 Time(s) /lib/js/!eb.test: 1 Time(s) /lib/js/!o.match.ID.test: 1 Time(s) /lib/js/!st.body: 1 Time(s) /lib/js/$a.test: 1 Time(s) /lib/js/Da.test: 1 Time(s) /lib/js/Ua.test: 1 Time(s) /lib/js/c.css: 1 Time(s) /lib/js/c.data: 1 Time(s) /lib/js/c.timers.push: 1 Time(s) /lib/js/e.old.call: 1 Time(s) /lib/js/jb.test: 1 Time(s) /lib/js/ta.test: 1 Time(s) /lib/js/+a.guid: 1 Time(s) /lib/js/+c.now: 1 Time(s) /lib/js/,I=J.cur: 1 Time(s) /lib/js/,N.call: 1 Time(s) /lib/js/,a.now: 1 Time(s) /lib/js/,b.find: 1 Time(s) /lib/js/,d=b.css: 1 Time(s) /lib/js/,e=Ia.test: 1 Time(s) /lib/js/,e=d.html: 1 Time(s) /lib/js/,f=c.data: 1 Time(s) /lib/js/,k=c.css: 1 Time(s) /lib/js/,l=c.css: 1 Time(s) /lib/js/,l=qb.test: 1 Time(s) /lib/js/,w=c.data: 1 Time(s) /lib/js/-1?c.map: 1 Time(s) /lib/js/-Math.cos: 1 Time(s) /lib/js/.length,style:/red/.test: 1 Time(s) /lib/js/0n.exec: 1 Time(s) /lib/js/0,a.now: 1 Time(s) /lib/js/0?this.bind: 1 Time(s) /lib/js/1i.nodeType===9!Oo.match.ID.test: 1 Time(s) /lib/js/1x.exec: 1 Time(s) /lib/js/512b===t!Ca.test: 1 Time(s) /lib/js/:Ja.test: 1 Time(s) /lib/js/:O.call: 1 Time(s) /lib/js/:a.now: 1 Time(s) /lib/js/:c.css: 1 Time(s) /lib/js/:c.data: 1 Time(s) /lib/js/:c.each: 1 Time(s) /lib/js/:f.css: 1 Time(s) /lib/js/:this.die: 1 Time(s) /lib/js/:w.open: 1 Time(s) /lib/js/;Za.test: 1 Time(s) /lib/js/;b.each: 1 Time(s) /lib/js/;b.map: 1 Time(s) /lib/js/;c.curCSS=c.css;c.each: 1 Time(s) /lib/js/;c.data: 1 Time(s) /lib/js/;c.each: 1 Time(s) /lib/js/;c.event.add: 1 Time(s) /lib/js/;dh.each: 1 Time(s) /lib/js/;d.filter=Ea.test: 1 Time(s) /lib/js/;d.text: 1 Time(s) /lib/js/;e.call: 1 Time(s) /lib/js/;f.className=c.trim: 1 Time(s) /lib/js/;f=c.data: 1 Time(s) /lib/js/;h.html: 1 Time(s) /lib/js/;j=L.exec: 1 Time(s) /lib/js/;o+=Math.max: 1 Time(s) /lib/js/;r.remover.remove.call: 1 Time(s) /lib/js/;this.each: 1 Time(s) /lib/js/;this.options.complete.call: 1 Time(s) /lib/js/;v!==Hz.push: 1 Time(s) /lib/js/===a.type?f.push: 1 Time(s) /lib/js/Ba.exec: 1 Time(s) /lib/js/C.add: 1 Time(s) /lib/js/C.push: 1 Time(s) /lib/js/C.test: 1 Time(s) /lib/js/D.pop: 1 Time(s) /lib/js/Fa.test: 1 Time(s) /lib/js/Gs.call: 1 Time(s) /lib/js/Na.test: 1 Time(s) /lib/js/T.test: 1 Time(s) /lib/js/aa.type: 1 Time(s) /lib/js/a,b,this.handle.elem: 1 Time(s) /lib/js/a.call: 1 Time(s) /lib/js/a.nodeType===1a!==bd.push: 1 Time(s) /lib/js/a.style.display=c.data: 1 Time(s) /lib/js/bb.type: 1 Time(s) /lib/js/b.beforeSendb.beforeSend.call: 1 Time(s) /lib/js/b.data: 1 Time(s) /lib/js/b.dataT.test: 1 Time(s) /lib/js/b.map: 1 Time(s) /lib/js/b.type: 1 Time(s) /lib/js/b.url: 1 Time(s) /lib/js/b.url;if(!d)%7Bvar: 1 Time(s) /lib/js/b===b.ownerDocument.body: 1 Time(s) /lib/js/b=b.call: 1 Time(s) /lib/js/c.css: 1 Time(s) /lib/js/c.data: 1 Time(s) /lib/js/c.each: 1 Time(s) /lib/js/c.event.add: 1 Time(s) /lib/js/c.offset.doesAddBorderForTableAndCellsxb.test: 1 Time(s) /lib/js/d.call: 1 Time(s) /lib/js/d.exec: 1 Time(s) /lib/js/d.guid===C.guid: 1 Time(s) /lib/js/d.push: 1 Time(s) /lib/js/d=k.set: 1 Time(s) /lib/js/e.call: 1 Time(s) /lib/js/e.old: 1 Time(s) /lib/js/e.push: 1 Time(s) /lib/js/e=c.data: 1 Time(s) /lib/js/e=d.nodeType?c.data: 1 Time(s) /lib/js/e=h.get: 1 Time(s) /lib/js/f,a,bb.call: 1 Time(s) /lib/js/f.call: 1 Time(s) /lib/js/f.push: 1 Time(s) /lib/js/f=k.get: 1 Time(s) /lib/js/function(i)%7Breturn%20i.getAttrib ... %20class='TEST': 1 Time(s) /lib/js/h.html: 1 Time(s) /lib/js/h=c.data: 1 Time(s) /lib/js/j.call: 1 Time(s) /lib/js/ja.test: 1 Time(s) /lib/js/m.push: 1 Time(s) /lib/js/n.push: 1 Time(s) /lib/js/o.match.POS.test: 1 Time(s) /lib/js/o=sb.exec: 1 Time(s) /lib/js/q.expr,q.set: 1 Time(s) /lib/js/q=D.pop: 1 Time(s) /lib/js/q=d.exec: 1 Time(s) /lib/js/r=c.map: 1 Time(s)
Re: [CentOS] What is someone trying to do?
My Logwatch was very long today with 404 requests to the Apache server. I dont understand what the person was trying to do by what they were attempting to access. Can anyone explain a method to their madness? The whole things seems weird... Requests with error response codes 404 Not Found /!document.body: 1 Time(s) /.exec: 1 Time(s) snip Probing your web server for known vulnerabilities/information gathering. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
I get that, Barry, what I dont get is what vulnerabilities they think they are going to find. -- Jason On Saturday, June 11, 2011 at 6:41 PM, Barry Brimer wrote: My Logwatch was very long today with 404 requests to the Apache server. I dont understand what the person was trying to do by what they were attempting to access. Can anyone explain a method to their madness? The whole things seems weird... Requests with error response codes 404 Not Found /!document.body: 1 Time(s) /.exec: 1 Time(s) snip Probing your web server for known vulnerabilities/information gathering. ___ CentOS mailing list CentOS@centos.org (mailto:CentOS@centos.org) http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On Sat, Jun 11, 2011 at 06:14:36PM -0700, Jason wrote: Hi All, My Logwatch was very long today with 404 requests to the Apache server. I dont understand what the person was trying to do by what they were attempting to access. Can anyone explain a method to their madness? The whole things seems weird... Taking one of the probed requests from your email, it turns up a hit for jQuery: /jquery-1.4.4.min.js So my guess is they're fuzzing/scanning for potential weaknesses in jQuery... Steve ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What is someone trying to do?
On 06/11/11 6:14 PM, Jason wrote: I dont understand what the person was trying to do its not really a person... its a bot script, running on another infected host, thats just blindly trying long lists of known exploits hoping to find a weakness. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
