Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is this Hack atack?

Status
Not open for further replies.
eudoxus

eudoxus

Programmer
Jul 26, 2007
3
CA
hi


I found this unusual line in my Apache logs?
Usualy I get regular requests HTTP, HEADER, GET, POST... etc... but this is sometihng completely new!!! No idea what is that suposed to mean.

64.231.93.61 - - [26/Jul/2007:21:52:41 -0400] "recipientid=101&sessionid=5459" 200 6357

Is this "recipientid=101&sessionid=5459" means somebody is loging in to my system without my knowledge???
Should I be alarmed???

please help.

regards

ron
 
Sort by date Sort by votes
Hi

Is that the exact log line ? Are those parameters valid for any of your pages ?

If it is that single line then probably is the mistake of a buggy software : downloader, crawler, validator, link checker, proxy, etcetera. In that case I would not be worry.

If there are many lines like that, then probably is an attack and I would enforce the rules in the firewall to filter out those requests before reaching the web server.

In any case I would take a closer look to why status 200 OK was returned in case it should not.

By the way, please do not use the term "hack" as alternative for cracking.

Feherke.
 
Upvote 0 Downvote
That is exact log line.
It is single line that coming from ( by whois: bell sympatico ) but it is poping up every 7 to 10 days.
"why status 200 OK was returned in case it should not." that is egzactly why I am a bit concerned. It returns status 200!!!
 
Upvote 0 Downvote
It hapen again!
And it looks like it is coming in intervals of 4 days.

64.231.122.36 - - [22/Jul/2007:22:23:37 -0400] "recipientid=101&sessionid=8175" 200 6390

64.231.93.61 - - [26/Jul/2007:21:52:41 -0400] "recipientid=101&sessionid=5459" 200 6357

64.231.120.154 - - [30/Jul/2007:22:33:32 -0400] "recipientid=101&sessionid=8089" 200 6359 "-" "-"
 
Upvote 0 Downvote
Hi

Honestly, I am not expert in such things. As attackers should be stopped before they reach the web server, I suggest to try posting in forum83. No idea about that forum but logically they should be able to give you better advices to stop those requests.

Regarding the Apache, I would use a [tt]Deny[/tt] directive to refuse any request from 64.231.*.* IP addresses :
Code: 
Deny from 64.231
By the way, your log does not contain the request method. What is the configuration of that log ?

Feherke.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
CentOS is Dead? 1
Replies
0
Views
183
SamBones
SamBones
spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
207
spamjim
spamjim
SamBones
  • Locked
  • Question
LINUX is Obsolete
Replies
6
Views
214
dik
dik
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
115
RedLinux
RedLinux
eliogabalus
  • Locked
  • Question
the modem is the "guilty"?
Replies
1
Views
125
eliogabalus
eliogabalus

Part and Inventory Search

Sponsor

Back
Top