On Mon, 8 Dec 2003, Lisa Durham wrote:
> I am very new to Linux but was poking around in my newly setup Fedora
> Core 1 system today and came upon the lines below in the Apache Access
> Log when I used the "System Logs" icon in the System Tools Menu.
> What does this file tell me? Am I paranoid, or was someone trying to
> access my machine (but ignorantly assuming it was a Windows machine)?
>
> quoted Apaches Access Log:
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
As I looked back at your message I should have started closer to
the beginning.
Your system is running the apache web server "httpd".
You can verify this thus:
# chkconfig --list | grep http
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
You might read this as the "httpd" daemon will be launched by the
system at run levels 2, 3, 4, and 5. Run level 3 or 5 are the
standard normal run levels.
You can stop the daemon:
/etc/init.d/httpd stop
You can keep it from being restarted the next time you boot
# chkconfig httpd off
# chkconfig --list | grep http
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
The log messages you sent were likely the result of a long list
of old and new attacks looking for an ill managed and unpatched
web-servers of any type, mostly Microsoft software.
So, Yes someone was attempting to access your machine and hack it.
You are not paranoid but it helps to be paranoid on the Internet.
At a quick glance most of the lines are attacks against common
Microsoft bugs. Your log messages are from system seeking
viruses, worms or script kiddies all looking for any open system
to hack into and attack. Some of these worms and tools will try
all possible IP addresses.
If you watch sendmail logs and other access logs
(/var/logs/secure, and more in /var/logs) you might find other
probes looking to hijack your machine. Most evil spam is sent
from hijacked systems of ALL types.
When installing Linux/Fedora you would have been prompted for a
security level. Most beginners should pick 'high' security.
Then one function at a time can be configured, enabled and
watched. Most advanced users do the same sort of thing because
there is a period after a fresh install and before all known
patches are installed when trouble could happen.
You may wish to set up iptables to limit access:
# chkconfig --list | grep iptables
Look for other homework topics ;-)
# chkconfig --list | grep on
Read all about it:
# man httpd
# man -k http <-- -k for keywords
# apropos apache <-- apropos is equal to man -k
# man iptables
# man -k iptables
# info iptables
/usr/share/doc/iptables-1.2.8/
Google is a friend on stuff like this.
The good news is that Fedora's Apache package is in very good
shape right off the disc so you are not likely to have been
hacked.
Have fun.
TomM
--
T o m M i t c h e l l
mitch48 -a*t- yahoo-dot-com
