On Sun, Apr 01, 2007 at 04:23:07PM -0500, Sean Malloy wrote: > I just installed OpenBSD on my server in early March 2007. I am > running an Apache web server out of my house. I am tracking 4.0 STABLE > which I updated the day after the latest security advisory. I recently > noticed some peculiar entries in my Apache error and access logs. > > From /var/www/logs/error_log: > > [Sat Mar 31 07:35:07 2007] [error] [client 211.100.33.61] File does > not exist: /htdocs/Provy_OK.html > [Sat Mar 31 07:40:20 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/thisdoesnotexistahaha.php > [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/cmd.php > [Sat Mar 31 07:40:21 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/Cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/portal/cacti/cmd.php > [Sat Mar 31 07:40:22 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/portal/cmd.php > [Sat Mar 31 07:40:23 2007] [error] [client 195.242.236.131] File does > not exist: /htdocs/stats/cmd.php > [Sun Apr 1 00:11:32 2007] [error] [client 212.31.237.145] client sent > HTTP/1.1 request without hostname (see RFC2616 section 14.23): > /w00tw00t.at.ISC.SANS.DFind:)
Yes, that's a scan. Nothing to worry about. > From /var/www/logs/access_log: > > 211.100.33.61 - - [31/Mar/2007:07:35:07 -0500] "GET > http://check.70.94.14.65.v.80.pdx8.super.proxy.scanner.ii.9966.org/Provy_OK.html > HTTP/1.1" > 404 219 "-" "-" > 195.242.236.131 - - [31/Mar/2007:07:40:20 -0500] "GET > /thisdoesnotexistahaha.php HTTP/1.1" 404 231 "-" "Mozilla/4.0 > (compatible; MSIE 6.0; Win > dows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /cmd.php > HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:21 -0500] "GET /Cacti/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /cacti/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET > /portal/cacti/cmd.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows > 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:22 -0500] "GET /portal/cmd.php > HTTP/1.1" 404 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 195.242.236.131 - - [31/Mar/2007:07:40:23 -0500] "GET /stats/cmd.php > HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" > 212.31.237.145 - - [01/Apr/2007:00:11:32 -0500] "GET > /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-" "-" > > Relevant sections from /var/log/pflog: > > Mar 31 07:35:05.505194 rule 7/(match) pass in on sk0: > 211.100.33.61.18484 > 192.168.1.200.80: S 948480759:948480759(0) win > 5840 <mss 1460> (DF) > Mar 31 07:35:06.012233 rule 7/(match) pass in on sk0: > 211.100.33.61.19843 > 192.168.1.200.80: S 948885882:948885882(0) win > 5840 <mss 1460> (DF) > Mar 31 07:35:06.510805 rule 7/(match) pass in on sk0: > 211.100.33.61.18484 > 192.168.1.200.80: F 1995884956:1995884956(0) ack > 3143126464 win 5840 (DF) > Mar 31 07:35:06.510826 rule 7/(match) pass out on sk0: > 192.168.1.200.80 > 211.100.33.61.18484: . ack 3247563101 win 17520 > (DF) > Mar 31 07:35:06.510869 rule 7/(match) pass out on sk0: > 192.168.1.200.80 > 211.100.33.61.18484: F 2034632638:2034632638(0) ack > 3247563101 win 17520 (DF) You should figure out what this means; your web server, presumably, is blocked by pf. That means that the web server is doing something you didn't think it should when writing the rules. What is that? (Hard to say without access to pf.conf...) > > I have not noticed any weirdness in any other logs files. What can I > do to stop this from happening? Thanks in advance. Not much, it's just background noise. Keep patched, and ignore it. Joachim -- TFMotD: fflagstostr, strtofflags (3) - convert between file flag bits and their string names