Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
does any body know what is this? thanks for any help!
I usually get the following LogWatch for http server with long long of the following:
--------------------- httpd BA total of 1 sites probed the server
217.229.16.130A total of 2 unidentified 'other' records logged
SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\xx02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x
b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x.......... ..etc
as far as i know junk character in log of apache(httpd) mean u have been hacked
~~~~~~~~~~~~~~~~~~~~~~~~
http://www.peeyush.tk/
http://geocities.com/peeyush_maurya/
~~~~~~~~~~~~~~~~~~~~~~~~
0 
Thank you for the reply; so, how can I protect myself. and how do I know which things to check.
thanks
0
Looks like it's probably someone trying to exploit a buffer overflow....just make sure that you are running a new/secure/patched version of apache and anything else that may be accessed (eg perl). Thankfully most hacks seemed to be aimed at M$ IIS....
0 0
If you are not using perl on your website (eg with CGI scripts) then you don't have to worry about it.
With fedota you can use apt-get or yum to make sure that you are running up to date versions of software.
Do you really need to run sendmail? You can download the source and security patches from http://www.sendmail.org/. You probably have a relatively new version anyway is you are running Fedora C2.
If you are security concious then maybe installing tripwire is a good idea (http://www.tripwire.org/). It wont prevent hacks but will inform you of any if they happen. Nessus (http://www.nessus.org/) is a good security scanner which you can run on your machine to check for any vulnerabilities.
0
Thanks Dave,
In fact I need sendmail for Mailman mailing lists. I am tring these tools now. Thank you again.
0
Sendmail can be a b17ch to configure unless you know what you are doing. The .cf config file is one of the very few GNU/Linux files which is not quite as straight forward as plain text and is confusing to read (unless you're a sendmail guru!=o). Instead you edit an .m4 file which is easier to read and then use m4 to create a .cf file....all rather confusing.
A much easier way to configure it (as well as your entire system) is to install webmin (www.webmin.com) which I strongly recommend.
0
You are right, I have configured it with webmin. and it is working just fine. Webmin is a very good tool.
0
These entries should be identified as a "probe" , rather than an unidentified 'other' entry. There is a bug in logwatch-5.1 (which is fixed in logwatch-5.2) that cause the parser to identify these lines incorrectly. You can fix this by editing the "http" logwatch script or by upgrading to the lasted logwatch version. If you go the editing route, look for lines like these:
'\\x90\\x02\\xb1\\x02\\xb1',
'\\x02\\xb1\\x02\\xb1',
'\\x90\\x90\\x90\\x90',
'\\x04\\x01',
'\\x05\\x01',
and add another backslash to each pair so they look like this:
'\\\x90\\\x02\\\xb1\\\x02\\\xb1',
'\\\x02\\\xb1\\\x02\\\xb1',
'\\\x90\\\x90\\\x90\\\x90',
'\\\x04\\\x01',
'\\\x05\\\x01',
0  |
 compilling 2.6.6 woes (ur...
|
Linspire / lindows
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
