Sometimes in my daily logwatch report, I notice that there is a section under httpd for "attempts to use known hacks…" and another section about how many sites probed the server. I have a few questions about these sections:
- Is apache or logwatch the one picking up and reporting on the known hacks? Which program actually knows that it is a known hack? Is there a certain location or reference point that one of these programs is using for their list of known attacks?
- Is logwatch able to report on whether an attack was successful or not, or do I need a separate piece of software for picking that up?
- What exactly does it mean when logwatch reports that x amount of sites probed the server? Is it a port scan? Vulnerability scan? Fingerprinting? Is apache the one reporting this to the log files or is logwatch analyzing the log files and figuring it out?
Best Answer
services/http
for the line which starts withmy @exploits
. You will see these are just some very simple patterns which are detected.Personally, I wouldn't pay too much attention to that report.