Apache2 server logs – weird activity

hacking

I was going through apache log, and I thought some of the access logs seemed suspicious… I'm not pro, just do server administration as hobby 🙂 so I wonder if I should take some steps…

86.138.17.122 - - [20/May/2012:12:53:14 +0200] "\xcb\xaap\xdc\xf9\xba\xec\x0e\x11\xfa\x1d%\x1f\xe9L$\xff\xa6\xe8-\xd2\x11" 501 309 "-" "-"

218.246.22.178 - - [20/May/2012:14:49:22 +0200] "GET /phpMyAdmin/translators.html HTTP/1.1" 404 544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"

31.176.134.118 - - [21/May/2012:10:32:31 +0200] "\xbe" 501 288 "-" "-"

92.80.76.244 - - [20/May/2012:13:28:19 +0200] "-" 408 0 "-" "-"

I'm not sure about the last one, but first three definitely looks like someone is probing for non existent software on my server.

sudo grep -ir "218.246.22.178" /var/log/apache2/*

/var/log/apache2/access.log:218.246.22.178 - - [20/May/2012:14:49:22 +0200] "GET /phpMyAdmin/translators.html HTTP/1.1" 404 544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
/var/log/apache2/access.log.1:218.246.22.178 - - [19/May/2012:23:01:55 +0200] "GET /translators.html HTTP/1.1" 404 533 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
/var/log/apache2/access.log.1:218.246.22.178 - - [20/May/2012:06:30:03 +0200] "GET /phpmyadmin/translators.html HTTP/1.1" 404 544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
/var/log/apache2/error.log:[Sun May 20 14:49:22 2012] [error] [client 218.246.22.178] File does not exist: /var/www/phpMyAdmin
/var/log/apache2/error.log.1:[Sat May 19 23:01:55 2012] [error] [client 218.246.22.178] File does not exist: /var/www/translators.html
/var/log/apache2/error.log.1:[Sun May 20 06:30:03 2012] [error] [client 218.246.22.178] File does not exist: /var/www/phpmyadmin
/var/log/apache2/other_vhosts_access.log::443 218.246.22.178 - - [20/May/2012:14:49:19 +0200] "GET /phpMyAdmin/translators.html HTTP/1.1" 401 3233 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
/var/log/apache2/other_vhosts_access.log.1::443 218.246.22.178 - - [20/May/2012:06:30:02 +0200] "GET /phpmyadmin/translators.html HTTP/1.1" 401 3232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"

Best Answer

This is pretty common behavior with any web server exposed to the internet. Hackers are scanning for vulnerabilities and open proxies. Check out fail2ban to block them and logwatch to monitor for anything out of the ordinary.

Related Topic