Strange stuff in apache log

hacking apache-2.2 log-files binary

Solution 1:

Unless you have noted strange new files, changed system files, or other odd behaviours from from your server, I wouldn't worry much about those strange log entries. Anyone can send malformed HTTP requests to your server if it's open to the internet, and so many people (or bots) do just that.

Why would they do that? Well, some web servers have known vulnerabilities that can be exploited by sending them just the "right" kind of request. So what you're possibly seeing are probes for known (or even unknown) vulnerabilities. If it makes you feel safer, you could take retroactive measures, like blocking/banning IP's that send malformed or unknown requests (using iptables, fail2ban, etc.).

Personally, I take the stance that blacklisting "bad" IPs is not really worth it, since, by the time you see their traces in your logfiles, they've either learned that you're not vulnerable, or you're already hacked. I believe the better approach is to be proactive with security:

  • Keep your server software fully patched and up to date. Always. Fastidiously. Religiously.

  • Keep your attack profile as small as possible: Don't install/run any unnecessary software on the server. And, as William of Ockham once said, "Do not multiply user accounts unnecessarily."

  • Firewall your server. (Or don't, but know what you're doing.)

  • Run an intrusion detection system, like AIDE, OSSEC, or samhain. This will alert you when system files change unexpectedly, often a tip-off that your server has been compromised.

  • Run system monitoring/graphing software, like munin, cacti, collectd or the like. Watch the graphs on a regular basis to get a feel for what normal system loads look like, and what your regular trends look like. Then, when your graphs show something you've never seen before, you have impetus to investigate further.

  • Run a web log analyzer/grapher, like webalizer or awstats. Again, become familiar with what normal operations look like, so you can quickly recognize when things aren't normal.

  • Run a separate log server---preferrably on a minimal, security-hardened system that's running nothing else---and configure your servers to send their logs to it. This makes it much more difficult for an intruder to cover his tracks.

Solution 2:

What kind of server are you running? Apache?

That looks like an IIS exploit....Code Red/NIMDA

Solution 3:

Every publicly accessible web server receives requests like this all day long. They're just blindly attempting known exploits against your server. What I often do is configure the web server to display a blank page when it receives requests to it's IP (i.e. http://10.0.0.1). I only allow the sites to appear when the correct virtual host domain is requested.

See what site appears when you access the web server by IP instead of by domain name. Most of the exploit scripts crawling the netter-tubes aren't performing valid virtual host requests(proper virtual host headers).

You can also look into the various utilities that will automatically block IP addresses that attempt nefarious requests.

Related

Error Opening HKEY_USERS for [COMPUTER NAME] PsLoggedon
Is there any way to limit bandwidth usage by process ID in Windows?
How to stay up to date with the latest information about UNIX software patches and upgrades?
Some visitors cannot access my website
User to send as anyone in Exchange?
POSTFIX Won't Start says: bind 0.0.0.0 port 25: Address already in use, what should i do?
SSH closes connection after login Exit status 254
How do you NAT Hairpin in IOS 8.3+
Supervisor process exits with 'exit status 1; not expected'
Why was the FTP protocol designed to use more than one port?
Yum install php-pecl-memcached - No package found (Have epel-release-6-8.noarch.rpm)
Finding all domain names that resolve to the same ip?