Apache Log, passwd, "known hacks"
Michael A. Peters
mpeters at mac.com
Sun May 1 19:35:52 UTC 2005
Have a server on my lan running as a yum mirror for my lan, running
rawhide. Other than the kernel, it gets updated pretty much daily.
Saw this in the log:
--------------------- httpd Begin ------------------------
1663.90 MB transfered in 1894 responses (1xx 0, 2xx 1852, 3xx 0, 4xx
42, 5xx 0)
322 Documents (3.81 MB),
1534 Archives (1449.43 MB),
12 Content pages (0.00 MB),
2 Program source files (0.00 MB),
10 CD Images (144.50 MB),
14 Other (66.15 MB)
Attempts to use 1 known hacks were logged 4 time(s)
passwd by
192.168.15.101 4 time(s)
A total of 1 sites probed the server
192.168.15.101
!!!! 2 possible successful probes
/pub/yum/fedora/core/development/i386/Fedora/RPMS/pam_passwdqc-0.7.6-1.i386.rpm HTTP Response 200
/pub/yum/fedora/core/development/i386/Fedora/RPMS/passwd-0.69-2.i386.rpm HTTP Response 200
A total of 7 unidentified 'other' records logged
*snip*
The server is behind a router firewall.
I do have a couple ports forwarded to it - for bittorrent (tcp) and for
ntpd (udp - this is also my lan time server) - not ports apache uses.
192.168.15.101 is my wireless router (not the router the server is
behind, the wireless does strictly my wireless clients) - what exactly
is the "known hack" it is referring to? I certainly haven't tried to
hack it, I suspect that that is a bogus entry, but I do want to make
sure someone isn't connecting through my wireless router and trying
stuff.
The "possible succesful probes" are clearly yum updates that happened to
contain the word "passwd" in the filename.
Is that something that should be filed as a false positive bug?
A password containing file would not have the mime type
application/x-rpm
More information about the test
mailing list