-4

Possible Duplicate:
My server's been hacked EMERGENCY

Looking thru my logs, I found this:

http://paste.u4ik.us/2294$

(The log files are on that paste).

Question is, this guy began using "all requests allowed" which is...? (Explain it please?) and eventually was making requests from "127.0.0.1" which means he's using my local system?

If anyone can explain this, or help prevent it, I'd like to know, and this would be highly appreciated.

Thanks!

PS: I've since blocked their IP, but what's stopping this from happening again?

Community
  • 1
U4iK_HaZe
  • 631
  • 5
  • 13
  • A search on 'allrequestsallowed' yielded this: http://askubuntu.com/questions/52649/allrequestsallowed-com-hack-attempt – mqsoh Oct 23 '11 at 07:06
  • @mqs - Mmm, thanks, I read that already. But that site seems shady. The IP 31.44.184.245 of the "Attacker" is from Russia, AND WHEN VIEWING it as a website, it asks for credentials (http//31.44.184.245/) so, it's really got me thinking. – U4iK_HaZe Oct 23 '11 at 07:08
  • @U4iK_HaZe I believe it was some kind of adsl/cable modem/router asking for management password - this setup is quite common in Russia. – rvs Oct 23 '11 at 07:23
  • A cable modem running an Apache server? – the-wabbit Oct 23 '11 at 14:27
  • @synet - The server is going through a firewall, then through an outside proxy server. (Webservers through an Apache proxy to firewall then to the public). And since this morning, there are MANY more of these entries in the logs. http://paste.u4ik.us/2169 – U4iK_HaZe Oct 23 '11 at 14:38

1 Answers1

1

Don't panic. As a general advice, before reading logs and trying to get some security-related meaning out of them, be sure to have a sufficiently thorough understanding of what it does mean. Otherwise you end up with a heart attack over too many "dangerously looking" log entries.

What you see is simply Internet background noise - someone trying to pick on your configuration for possible weaknesses. Such "attacks" are usually simply blind attempts to exploit configuration problems or implementation bugs, most of them without any effect. There is absolutely no way to prevent this.

The 127.0.0.1 log entry you see in your original log paste is an entry which has been induced by your own system - most probably not on the behalf of the attacker but through your own actions.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169