Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is this a hack or exploit attempt?

Status
Not open for further replies.
smah

smah

MIS
Sep 4, 2002
9,396
US
Starting yesterday, there are many of these entries in my access logs. They are all from different IP address - 1 'Get' per address. They are showing up in the log for the first VirtualHost which is only accessible by IP address, not name (this is an intentional configuration controlled by DNS configuration & Hostname). There is no agent info & apache seems to be serving the default page as it should, but not the images on the default page.

Nothing bad seems to be happening, & I have a suspicion about what this is & why it started, but I just wanted other thoughts to make sure. Below is a small excerpt from the access log (with IP's removed):

Code: 
[i]requesting IP[/i] - - [05/Feb/2006:06:18:20 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:06:27:34 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:06:50:28 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:06:52:46 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:06:55:56 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:06:59:36 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:07:11:12 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:07:14:37 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:07:23:45 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"
[i]requesting IP[/i] - - [05/Feb/2006:07:25:24 -0500] "GET / HTTP/1.0" 200 7762 "-" "-"

Thanks for your thoughts & info.
 
Sort by date Sort by votes
I have no doubt that it's a bot of some sort, but most search engine bots will identify themselves. I have hundreds of these - all from entirely different addresses that seem to be just personal computers on the internet. And this all started very suddenly & they are requesting the public IP address - not any domain name.

My suspicion is that someone installed a file sharing application or something similar that & those requests (from others around the world using that same app) are being routed to apache.

I just wanted to make sure there wasn't something else going on before I start a witch hunt.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
644
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
299
spamjim
spamjim
SamBones
  • Locked
  • Question
CentOS is Dead? 1
Replies
0
Views
183
SamBones
SamBones
spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
207
spamjim
spamjim
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
139
Steve Bowman
Steve Bowman

Part and Inventory Search

Sponsor

Back
Top