Tuesday, May 19, 2009

Apache Access Logs Record Attempted Hacks (Security Threats)

Here you can see some example apache access logs (with local info removed) that indicates an example how apache gets hit without a firewall.

Changed actual hostname and domain to "hostname.domain" and changed vhost to "xxxxx". Known hits from internal IP addresses removed.
::::::::::::::
access_log
::::::::::::::
61.139.105.163 - - [17/May/2009:12:30:37 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
74.7.26.59 - - [17/May/2009:20:14:25 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
74.7.26.59 - - [18/May/2009:01:55:58 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
61.139.105.163 - - [18/May/2009:03:24:32 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
64.235.52.108 - - [19/May/2009:10:03:43 -0400] "GET http://www.google.com/ HTTP/1.0" 301 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
61.139.105.163 - - [19/May/2009:10:23:21 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [19/May/2009:10:23:25 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [19/May/2009:10:23:38 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
::::::::::::::
access_log.1
::::::::::::::
92.240.68.152 - - [10/May/2009:08:33:56 -0400] "GET http://www.littleredplanet.com/images/zenwalk_fly_free_snapshot500.png HTTP/1.1" 301 368 "-" "webcollage/1.135a"
61.139.105.163 - - [10/May/2009:17:41:01 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
213.144.119.171 - - [10/May/2009:21:57:16 -0400] "GET /admin/phpmyadmin/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:16 -0400] "GET /admin/phpMyAdmin/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:16 -0400] "GET /admin/sysadmin/main.php HTTP/1.0" 301 342 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:17 -0400] "GET /admin/sqladmin/main.php HTTP/1.0" 301 342 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:17 -0400] "GET /admin/db/main.php HTTP/1.0" 301 336 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:17 -0400] "GET /admin/web/main.php HTTP/1.0" 301 337 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:17 -0400] "GET /admin/pMA/main.php HTTP/1.0" 301 337 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:18 -0400] "GET /admin/main.php HTTP/1.0" 301 333 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:18 -0400] "GET /admin/mysql/main.php HTTP/1.0" 301 339 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:18 -0400] "GET /admin/myadmin/main.php HTTP/1.0" 301 341 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:19 -0400] "GET /admin/webadmin/main.php HTTP/1.0" 301 342 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:19 -0400] "GET /admin/sqlweb/main.php HTTP/1.0" 301 340 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:19 -0400] "GET /admin/websql/main.php HTTP/1.0" 301 340 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:19 -0400] "GET /admin/webdb/main.php HTTP/1.0" 301 339 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:20 -0400] "GET /admin/mysqladmin/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:20 -0400] "GET /admin/mysql-admin/main.php HTTP/1.0" 301 345 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:20 -0400] "GET /admin/phpmyadmin2/main.php HTTP/1.0" 301 345 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:20 -0400] "GET /admin/php-my-admin/main.php HTTP/1.0" 301 346 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:21 -0400] "GET /admin/phpMyAdmin-2.2.3/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:21 -0400] "GET /admin/phpMyAdmin-2.2.6/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:22 -0400] "GET /admin/phpMyAdmin-2.5.1/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:22 -0400] "GET /admin/phpMyAdmin-2.5.4/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:22 -0400] "GET /admin/phpMyAdmin-2.5.6/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:23 -0400] "GET /admin/phpMyAdmin-2.6.0/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:23 -0400] "GET /admin/phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 301 354 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:23 -0400] "GET /admin/phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 301 354 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:24 -0400] "GET /admin/phpMyAdmin-2.6.3/main.php HTTP/1.0" 301 350 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:24 -0400] "GET /admin/phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 301 354 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:24 -0400] "GET /admin/phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 301 354 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:24 -0400] "GET /admin/padmin/main.php HTTP/1.0" 301 340 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:25 -0400] "GET /admin/datenbank/main.php HTTP/1.0" 301 343 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:25 -0400] "GET /admin/database/main.php HTTP/1.0" 301 342 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:25 -0400] "GET /phpmyadmin/main.php HTTP/1.0" 301 338 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:26 -0400] "GET /phpMyAdmin/main.php HTTP/1.0" 301 338 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:26 -0400] "GET /db/main.php HTTP/1.0" 301 330 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:26 -0400] "GET /web/main.php HTTP/1.0" 301 331 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:26 -0400] "GET /PMA/main.php HTTP/1.0" 301 331 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:27 -0400] "GET /admin/main.php HTTP/1.0" 301 333 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:27 -0400] "GET /mysql/main.php HTTP/1.0" 301 333 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:27 -0400] "GET /myadmin/main.php HTTP/1.0" 301 335 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:28 -0400] "GET /webadmin/main.php HTTP/1.0" 301 336 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:28 -0400] "GET /sqlweb/main.php HTTP/1.0" 301 334 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:28 -0400] "GET /websql/main.php HTTP/1.0" 301 334 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:28 -0400] "GET /webdb/main.php HTTP/1.0" 301 333 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:29 -0400] "GET /mysqladmin/main.php HTTP/1.0" 301 338 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:29 -0400] "GET /mysql-admin/main.php HTTP/1.0" 301 339 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:29 -0400] "GET /phpmyadmin2/main.php HTTP/1.0" 301 339 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:29 -0400] "GET /php-my-admin/main.php HTTP/1.0" 301 340 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:30 -0400] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:30 -0400] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:30 -0400] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:31 -0400] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:31 -0400] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:31 -0400] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:31 -0400] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 301 348 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:32 -0400] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 301 348 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:32 -0400] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 301 344 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:32 -0400] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 301 348 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:33 -0400] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 301 348 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:33 -0400] "GET /padmin/main.php HTTP/1.0" 301 334 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:33 -0400] "GET /datenbank/main.php HTTP/1.0" 301 337 "-" "-"
213.144.119.171 - - [10/May/2009:21:57:33 -0400] "GET /database/main.php HTTP/1.0" 301 336 "-" "-"
61.139.105.163 - - [11/May/2009:23:00:33 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [12/May/2009:08:08:56 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
64.233.149.10 - - [12/May/2009:23:06:20 -0400] "GET http://www.google.com/ HTTP/1.0" 301 320 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
81.171.125.93 - - [13/May/2009:22:24:18 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
74.55.7.90 - - [14/May/2009:09:04:32 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
211.95.78.70 - - [14/May/2009:14:28:32 -0400] "POST http://www.dormaster.com/cgi-bin/textenv.pl HTTP/1.1" 301 341 "-" "-"
211.95.78.70 - - [14/May/2009:14:28:32 -0400] "CONNECT xxxxx:443 HTTP/1.0" 301 331 "-" ""
211.95.78.70 - - [14/May/2009:14:28:33 -0400] "CONNECT xxxxx:443 HTTP/1.0" 301 331 "-" ""
74.222.1.105 - - [14/May/2009:17:06:33 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
88.80.7.248 - - [14/May/2009:22:06:00 -0400] "GET http://88.80.7.248/pp/anp.php?a=UQVHUH%40GBZCPD&b=1155&c=41a7 HTTP/1.1" 301 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.46.126.20 - - [15/May/2009:15:29:06 -0400] "GET //user/templates/footer.tpl HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
202.114.136.75 - - [15/May/2009:19:56:33 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
61.139.105.163 - - [16/May/2009:07:04:28 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
218.194.51.13 - - [16/May/2009:12:29:44 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 301 319 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
61.139.105.163 - - [16/May/2009:21:28:30 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
218.194.51.13 - - [16/May/2009:22:02:30 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 301 319 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
87.118.114.58 - - [17/May/2009:00:20:33 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
67.205.89.170 - - [17/May/2009:01:58:54 -0400] "GET /thisdoesnotexistahaha.php HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
67.205.89.170 - - [17/May/2009:01:58:54 -0400] "GET /roundcube/skins/default/images/roundcube_logo.png HTTP/1.1" 301 368 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
::::::::::::::
access_log.2
::::::::::::::
58.210.234.174 - - [03/May/2009:06:34:26 -0400] "GET /phpmyadmin/main.php HTTP/1.0" 301 338 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:26 -0400] "GET /mysql/main.php HTTP/1.0" 301 333 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:27 -0400] "GET /myadmin/main.php HTTP/1.0" 301 335 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:27 -0400] "GET /phpMyAdmin/main.php HTTP/1.0" 301 338 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:28 -0400] "GET /PMA/main.php HTTP/1.0" 301 331 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:28 -0400] "GET /sql/main.php HTTP/1.0" 301 331 "-" "-"
58.210.234.174 - - [03/May/2009:06:34:29 -0400] "GET /admin/main.php HTTP/1.0" 301 333 "-" "-"
202.114.136.75 - - [04/May/2009:03:41:53 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
61.139.105.163 - - [04/May/2009:03:51:05 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
122.66.77.226 - - [04/May/2009:07:10:19 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" ""
61.139.105.163 - - [05/May/2009:04:06:10 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [05/May/2009:07:16:30 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
88.80.7.248 - - [05/May/2009:18:28:35 -0400] "GET http://88.80.7.248/pp/anp.php?a=UQVHUH%40GBZCPD&b=1155&c=41a7 HTTP/1.1" 301 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [05/May/2009:21:19:59 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [07/May/2009:21:50:16 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
203.188.252.3 - - [07/May/2009:22:20:16 -0400] "GET //README HTTP/1.1" 301 325 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:16 -0400] "GET /horde//README HTTP/1.1" 301 332 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:17 -0400] "GET /horde2//README HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:18 -0400] "GET /horde3//README HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:18 -0400] "GET /horde-3.0.5//README HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:19 -0400] "GET /horde-3.0.6//README HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:20 -0400] "GET /horde-3.0.7//README HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:20 -0400] "GET /horde-3.0.8//README HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:21 -0400] "GET /horde-3.0.9//README HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:21 -0400] "GET /mail//README HTTP/1.1" 301 331 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:22 -0400] "GET /email//README HTTP/1.1" 301 332 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:23 -0400] "GET /webmail//README HTTP/1.1" 301 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:23 -0400] "GET /newmail//README HTTP/1.1" 301 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:24 -0400] "GET /mails//README HTTP/1.1" 301 332 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
203.188.252.3 - - [07/May/2009:22:20:25 -0400] "GET /mailz//README HTTP/1.1" 301 332 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
61.139.105.163 - - [08/May/2009:22:19:30 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
218.23.79.219 - - [08/May/2009:22:36:07 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
85.25.149.38 - - [09/May/2009:00:26:03 -0400] "GET /wordtrans/index.html HTTP/1.1" 301 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
85.25.149.38 - - [09/May/2009:00:26:03 -0400] "GET /wordtrans/index.php HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
125.76.157.130 - - [09/May/2009:16:17:16 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
66.106.59.14 - - [09/May/2009:23:26:23 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
::::::::::::::
access_log.3
::::::::::::::
61.139.105.163 - - [26/Apr/2009:17:51:53 -0400] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [27/Apr/2009:11:30:50 -0400] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.6.184.223 - - [27/Apr/2009:13:13:34 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
195.29.92.124 - - [27/Apr/2009:16:14:01 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
61.139.105.163 - - [28/Apr/2009:03:52:53 -0400] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [28/Apr/2009:21:15:40 -0400] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
88.80.7.248 - - [29/Apr/2009:02:49:37 -0400] "GET http://88.80.7.248/pp/anp.php?a=UQVHUH%40GBZCPD&b=1155&c=41a7 HTTP/1.1" 301 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [29/Apr/2009:09:16:14 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [29/Apr/2009:23:40:28 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
116.22.247.221 - - [30/Apr/2009:00:35:02 -0400] "GET http://springer.lib.tsinghua.edu.cn/ HTTP/1.1" 301 334 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
61.139.105.163 - - [30/Apr/2009:21:45:34 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
164.77.152.10 - - [01/May/2009:11:15:34 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
208.69.178.92 - - [01/May/2009:16:33:46 -0400] "GET /level/16/exec/-///pwd HTTP/1.0" 301 351 "-" "-"
61.139.105.163 - - [01/May/2009:16:51:03 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
202.114.136.75 - - [01/May/2009:17:05:54 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
202.114.136.75 - - [01/May/2009:22:57:24 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
202.114.136.75 - - [02/May/2009:12:45:26 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
::::::::::::::
access_log.4
::::::::::::::
61.139.105.163 - - [23/Apr/2009:17:11:34 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
64.18.229.83 - - [24/Apr/2009:22:37:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
61.139.105.163 - - [25/Apr/2009:10:14:11 -0400] "GET http://proxyjudge2.proxyfire.net/fastenv HTTP/1.1" 301 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
61.139.105.163 - - [26/Apr/2009:00:02:11 -0400] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.240.250.14 - - [26/Apr/2009:00:52:22 -0400] "GET http://www.sciencedirect.com/ HTTP/1.1" 301 327 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
85.214.108.90 - - [26/Apr/2009:02:54:25 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
One of the IPs that hit a vhost (xxxxx) directly was apparently coming from the following (but maybe the IP was spoofed):
whois 211.95.78.70
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      211.90.0.0 - 211.97.255.255
netname:      UNICOM
descr:        China United Telecommunications Corporation
descr:        No.133,Taiyun Building,Xidan North Street
descr:        Xicheng District,Beijing,China
country:      CN
admin-c:      JY1446-AP
tech-c:       JY1446-AP
mnt-by:       MAINT-CNNIC-AP
mnt-lower:    MAINT-CNNIC-AP
mnt-routes:   MAINT-CNNIC-AP
status:       ALLOCATED PORTABLE
changed:      ipas@cnnic.cn 20070731
changed:      hm-changed@apnic.net 20070802
source:       APNIC

person:       Jin Yang
address:      No.133,Taiyun Building,Xidan North Street
address:      Xicheng District,Beijing,China
country:      CN
phone:        +86-10-66505588
fax-no:       +86-10-66504252
e-mail:       ip_address@chinaunicom.com.cn
nic-hdl:      JY1446-AP
mnt-by:       MAINT-CNNIC-AP
changed:      ipas@cnnic.cn 20070828
source:       APNIC
This is by no means implicating that or any other person's/entity's IP that is listed here, but if nothing else, maybe this will help you be aware of some of the attacks.

No comments: