Monday, September 29, 2014

centos - Weird access log on my server




Everyday, there's one IP 58.218.204.110 try to get a non-exist file hxxp://216.245.205.74/judge.php from my server. The IP 216.245.205.74 is not my server IP. Do I just ignore it or is there any problem? Thanks.



Wordpress stats:



Date Time IP Threat Page OS Browser



August 4, 2010 13:23:07 58.218.204.110 0 hxxp://216.245.205.74/judge.php Windows XP Internet Explorer 6



August 4, 2010 10:08:53 58.218.204.110 0 hxxp://216.245.205.74/judge.php Windows XP Internet Explorer 6




August 4, 2010 06:58:07 58.218.204.110 0 hxxp://216.245.205.74/judge.php Windows XP Internet Explorer 6



Access Log:



58.218.204.110 - - [30/Jul/2010:01:01:25 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [30/Jul/2010:03:49:36 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [30/Jul/2010:06:46:42 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"




58.218.204.110 - - [30/Jul/2010:09:27:22 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [30/Jul/2010:12:20:24 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [30/Jul/2010:14:56:25 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [31/Jul/2010:22:36:58 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [03/Aug/2010:01:42:46 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"




58.218.204.110 - - [04/Aug/2010:10:08:52 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



58.218.204.110 - - [04/Aug/2010:13:23:06 -0700] "GET hxxp://216.245.205.74/judge.php hxxp/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Answer



I guess you substituted http with hxxp in the messages (it isn't clear). If so, someone is probing your server to see if it is configured to act as proxy. Since you don't seem to be running mod_proxy, it returns 404 (Not found).



Usually, there is no need to worry. If you have servers publicly visible to the Internet, you are going to see this every single day. Also, people trying to exploit all kinds of vulnerabilities in all kinds of software (phpMyAdmin is particularly annoying), even the ones you don't have installed. Also, ISC.SANS.DFind...



However, those 301 (Redirect) responses are strange...


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...