Linux – Logwatch httpd – hacks and probes

apache-2.2hackinglinuxlogwatchSecurity

Sometimes in my daily logwatch report, I notice that there is a section under httpd for "attempts to use known hacks…" and another section about how many sites probed the server. I have a few questions about these sections:

  1. Is apache or logwatch the one picking up and reporting on the known hacks? Which program actually knows that it is a known hack? Is there a certain location or reference point that one of these programs is using for their list of known attacks?
  2. Is logwatch able to report on whether an attack was successful or not, or do I need a separate piece of software for picking that up?
  3. What exactly does it mean when logwatch reports that x amount of sites probed the server? Is it a port scan? Vulnerability scan? Fingerprinting? Is apache the one reporting this to the log files or is logwatch analyzing the log files and figuring it out?

Best Answer

  1. It is logwatch which knows about some well-known hacks. These are hard-coded into logwatch. Check the file services/http for the line which starts with my @exploits. You will see these are just some very simple patterns which are detected.
  2. If the webserver doesn't respond with an error status, logwatch considers the hack successful.
  3. This is similar to a portscan - somebody or some piece of software checks if your webserver is vulnerable.

Personally, I wouldn't pay too much attention to that report.

Related Topic