24-Jan-2006

Security
Copying the webserver logfiles did almost succeed - ACCESS_LOG does now exist but is empty, but ERROR_LOG of public, mail- and rpivate sites do now exist for last week. Scanning these (by hand) revealed attempts to acess some non-existing locations - using a script since the whole access took just a few seconds:

These were quite common:
File does not exist: /www/awstats/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats
File does not exist: /www/xmlrpc.php
File does not exist: /www/blog/xmlrpc.php
File does not exist: /www/blog/xmlsrv/xmlrpc.php
File does not exist: /www/blogs/xmlsrv/xmlrpc.php
File does not exist: /www/drupal/xmlrpc.php
File does not exist: /www/phpgroupware/xmlrpc.php
File does not exist: /www/wordpress/xmlrpc.php
File does not exist: /www/xmlrpc.php
File does not exist: /www/xmlrpc/xmlrpc.php
File does not exist: /www/xmlsrv/xmlrpc.php
These were found once but combined with a few from above:
File does not exist: /www/index2.php
File does not exist: /www/index.php
File does not exist: /www/mambo/index2.php
File does not exist: /www/cvs/index2.php

The next accessed (startdate, IP address) concerned at least one of above. Most in the public site's error_log, (*) found in the one of the mail site:

Jan 16 01:26:42 2006 64.207.218.15 (*)
Jan 16 06:02:49 2006 82.224.76.103 (*)
Jan 16 09:39:06 2006 68.96.26.136 (*)
Jan 17 02:18:15 2006 67.18.40.162
Jan 17 02:18:17 2006 67.18.40.162 (*)
Jan 17 15:41:01 2006 210.82.89.137
Jan 17 17:31:44 2006 213.39.218.171
Jan 18 09:21:26 2006 200.129.27.6
Jan 18 14:46:13 2006 218.232.109.223
Jan 18 18:01:14 2006 218.219.149.177
Jan 19 01:18:13 2006 148.244.247.83
Jan 19 08:12:29 2006 66.98.144.89
Jan 19 13:27:16 2006 201.15.239.10
Jan 20 20:00:57 2006 61.66.208.78 (*)
Jan 20 20:06:02 2006 66.143.182.65
Jan 21 04:25:10 2006 212.68.203.234
Jan 21 23:33:07 2006 206.47.37.212
Jan 22 08:22:50 2006 219.163.61.51
Jan 22 23:46:22 2006 66.34.225.128

This one is probably an IIS attempt - just once so it might have been a typo:
File does not exist: /www/ + /
by:
Jan 20 17:29:03 2006 152.121.17.40

I think it hard to believe these are a typo:

File does not exist: /www/_vti_bin/owssvr.dll
File does not exist: /www/MSOffice/cltreq.asp
found to be attempted by:
Jan 20 20:05:27 2006 206.186.78.194
Jan 22 22:28:47 2006 128.253.95.211

And someone tried to get into the (non-existing) PHPBB and Coppermine areas:

File does not exist: /www/modules/Forums/admin/admin_styles.php
File does not exist: /www/modules/Forums/admin/admin_styles.phpadmin_styles.php
File does not exist: /www/Forums/admin/admin_styles.php
File does not exist: /www/modules/coppermine/themes/default/theme.php
File does not exist: /www/modules/coppermine/themes/default/theme.phptheme.php
Tried just once:
Jan 16 16:34:41 2006 85.37.240.241
thinking I use PHPBB or dome other PHP product for my mail ???

Yesterday's mail abuse atempts were minor: 3 times junk from Yahoo that I've seen before (good that they block further attempts!), one daily spam relay attempt and one that shows up once in a while - I'll keep an eye on that one):

23-JAN-2006 20:37:27.68 CLNTINRBL 82.226.85.104
23-JAN-2006 00:13:11.17 BADMF reginald@yahoo.com
23-JAN-2006 00:13:12.59 BADMF reginald@yahoo.com
23-JAN-2006 00:13:14.00 BADMF reginald@yahoo.com
23-JAN-2006 02:33:48.63 BADMF geoffrey@yahoo.com
23-JAN-2006 02:33:49.97 BADMF geoffrey@yahoo.com
23-JAN-2006 02:33:51.31 BADMF geoffrey@yahoo.com
23-JAN-2006 07:09:10.80 BADMF william@yahoo.com
23-JAN-2006 07:09:12.83 BADMF william@yahoo.com
23-JAN-2006 07:09:14.73 BADMF william@yahoo.com
23-JAN-2006 07:21:08.72 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
23-JAN-2006 16:20:05.86 NOSPAMRLY 221.140.55.69 smtphunter22@daum.net

No FTP found these days.