Man, they'll try anything to hack your system...

Fred puissante at lrc.puissante.com
Fri Jan 27 08:54:01 EST 2006


On Thursday 26 January 2006 14:49, Thomas Charron wrote:
> On 1/25/06, Paul Lussier <p.lussier at comcast.net> wrote:
> > Oy.
> > I almost never look at my apache logs.  I probably should, but I
> > don't.  Tonight I was perusing them and noticing the activity in the
> > access.log and was amazed at the things these people try:
>
>   I enjoy poking at any sort of logs for something connected to the net
> now adays.  The sheer amount of SSH attempts per day boggles the mind.
>
>   A week or so ago I setup a new box on a VMWare instance, and just
> forwarded port 22.
>
>   *wham*  Beeeelions of login attempts from all over the world..

Yep. Which is largely why I moved my ssh off of port 22. Ssh attacks went to 
zero after that. There's a V.1 vulnerability that was exploited once, so I 
now make sure V.1 ssh is disabled.

As far as apache logs, for my major websites, I do keep a "ssh acct at website 
tail -f logfile" running for both access and error logs. The error logs are 
highly amusing. Constant queries for non-existent pages and directories for 
some of the most popular web-based software.

It's nice, though, seeing the queries happen in realtime, as I learn a lot 
that way. Bot activity represents 90+% of the traffic, and there are all 
kinds of bots that I had never seen before, along with the usual Slurps, 
GoogleBots, and MSNBots that are my friends. I've been debating if I should 
disallow all the other bots since they do put quite a load on my servers. 

I've gotten comments from some others that watching the logs in realtime is 
very "Matrix-like", though I have yet to see the blonds, brunettes, and 
red-heads in them! ;-)

-Fred



More information about the gnhlug-discuss mailing list