raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

what is this in my access.log ??

Wed Oct 11, 2017 1:39 pm

Code: Select all

51.15.58.234 - - [10/Oct/2017:14:16:47 +0200] "GET / HTTP/1.1" 200 432 "-" "Wget/1.16 (linux-gnu)"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376 "google.com" "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3"
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "HEAD / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10"

Code: Select all

5.228.127.66 - - [11/Oct/2017:15:14:14 +0200] "GET /wordpress/wp-admin/customize.php?autofocus[panel]=nav_menus&return=/wordpress/wp-admin/nav-menus.php?menu=3 HTTP/1.1" 404 519 "http://yandex.ru/clck/jsredir?from=yandex.ru%3Bsearch%3Bweb%3B%3B&text=&etext=1571.XiXD2Cdfp_-MfSaBK6fDULBvr5YsePTN9-fqEod0zxjYmLsZFvfuM0N9wQ5D7JE1.1b38f0274b9e1f1e01489adfa7e510740c5ead9d&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXmeppkgUc0YKCJkrjchpDstTwxTkjwGrA&data=UlNrNmk5WktYejR0eWJFYk1LdmtxcUFXbkkzSldEdzF2VmxmOTQ5VkV2TkplRk0tcUJ2eG5XRm5UeUNIZ0p4aTZxdkRHN19CRDNjS0dWd20wblFQTThmbUU1ZGl3Y1N1M1ZoREJkMDFaSWVnMzNRUTM4ZnRVcmQ0NDc0bDRUOXg3TlBnVGY4ODVjd1NzMW8xOF96UG5icU1RVm92RHBBdDAyLUlOeTNtOGd5TF8wRnlIdnhvTnN4ZEhtdkZhT2ppeU1RMVd5T0RKOXV6NHFBYTBTcXVGZGVWak85X3c3UVRjeHZ3Q2hta0ktRHFzWW1EdXA4Tl9wUldvRXI2bV94ZmczMUNIU0YtVnR3RHp1Wl8xcUd3WFgxaS1obF9nbVNq&b64e=2&sign=5658eda7d61a086170a33f4b7714f88e&keyno=0&cst=AiuY0DBWFJ7IXge4WdYJQYuwSQLovbTTXUyETUAB5B7NMhYP_782xdMex60lIaEVI0G4qw23qNWEM38DcKK8GwNIXiLedEXSqQIbThhv9cpbmPQb8oNug77BsPdO9waD0hRNjls3-n7Vk-Og4SkLglVZRBtBaTUj&ref=orjY4mGPRjk5boDnW0uvlrrd71vZw9kp5uQozpMtKCXI93BWaxlHTrNSCGRCuw7vJ-sVwi9zjXVzzkBpyf2hWaxNqojN0RhIx_LB4gE29m6_rODOpKUag8ygMzQXuyaQ&l10n=ru&cts=1507726730744&mc=3.2509986282" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

Code: Select all

155.94.88.58 - - [11/Oct/2017:10:51:24 +0200] "GET / HTTP/1.0" 200 395 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

Code: Select all

113.11.250.38 - - [10/Oct/2017:13:39:35 +0200] "GET // HTTP/1.1" 200 395 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
113.11.250.38 - - [10/Oct/2017:13:39:35 +0200] "GET //cgi-sys/realsignup.cgi HTTP/1.1" 404 509 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
113.11.250.38 - - [10/Oct/2017:13:39:36 +0200] "GET //cgi-bin/test-cgi HTTP/1.1" 404 503 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
113.11.250.38 - - [10/Oct/2017:13:39:37 +0200] "GET //cgi-bin/test.cgi HTTP/1.1" 404 503 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""

Code: Select all

93.115.27.73 - - [10/Oct/2017:06:14:56 +0200] "GET /services/list.currency HTTP/1.1" 404 546 "-" "-"
62.154.151.197 - - [10/Oct/2017:08:21:49 +0200] "\xad" 400 0 "-" "-"
95.108.181.112 - - [10/Oct/2017:08:57:06 +0200] "GET /robots.txt HTTP/1.1" 404 534 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
95.108.181.112 - - [10/Oct/2017:08:57:10 +0200] "GET / HTTP/1.1" 200 431 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
221.11.228.240 - - [10/Oct/2017:09:24:28 +0200] "GET /currentsetting.htm HTTP/1.1" 404 486 "-" "-"
85.113.208.43 - - [10/Oct/2017:13:12:06 +0200] "GET / HTTP/1.0" 200 395 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

Code: Select all

209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET /muieblackcat HTTP/1.1" 404 499 "-" "-"
209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 515 "-" "-"
209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 515 "-" "-"
209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 515 "-" "-"
i dont understand what are these (did they hack me with ufw/fail2ban running??) i have all apache jails enabled and have installed mod-security, so can someone explain ??

SurferTim
Posts: 1769
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: what is this in my access.log ??

Wed Oct 11, 2017 1:49 pm

I'm not saying they didn't hack you, but those all that would be important or vulnerable look like fails (error 404).

raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Re: what is this in my access.log ??

Wed Oct 11, 2017 1:54 pm

SurferTim wrote:
Wed Oct 11, 2017 1:49 pm
I'm not saying they didn't hack you, but those all that would be important or vulnerable look like fails (error 404).
thanks, but i dont understand why they get the "200" aka "ok" message in some of them ??

SurferTim
Posts: 1769
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: what is this in my access.log ??

Wed Oct 11, 2017 1:58 pm

The first set you posted were requesting your home page (GET / HTTP1.1).
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376

The next set were requesting your php or cgi setup pages if you were ignorant enough to have them installed. The requests for them failed.
209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 515

raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Re: what is this in my access.log ??

Wed Oct 11, 2017 2:13 pm

SurferTim wrote:
Wed Oct 11, 2017 1:58 pm
The first set you posted were requesting your home page (GET / HTTP1.1).
51.15.58.234 - - [10/Oct/2017:14:17:35 +0200] "GET / HTTP/1.1" 200 376

The next set were requesting your php or cgi setup pages if you were ignorant enough to have them installed. The requests for them failed.
209.66.128.2 - - [09/Oct/2017:23:33:23 +0200] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 515
and what about the code "200 211" because when searching in my log i found this one multiple times:

Code: Select all

138.210.251.228 - - [09/Oct/2017:13:29:17 +0200] "POST / HTTP/1.1" 200 211 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
thanks again for the answers

SurferTim
Posts: 1769
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: what is this in my access.log ??

Wed Oct 11, 2017 2:16 pm

A 200 is a success. No apparent security problem there. The client was sending a POST request instead of a GET for your home page.

raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Re: what is this in my access.log ??

Wed Oct 11, 2017 2:21 pm

SurferTim wrote:
Wed Oct 11, 2017 2:16 pm
A 200 is a success. No apparent security problem there. The client was sending a POST request instead of a GET for your home page.
thank's, i thought that i was hacked after all security and tests that i have made..have a nice day :)

Return to “Beginners”