[Talk] break-in... anyone read chink?

talk@flux.org talk@flux.org
Thu, 1 Nov 2007 23:36:38 -0400 

On 11/1/07, Terry Richards - sn00per1@bellsouth.net
<+flux+simicich+a4ddef9a5d.sn00per1#bellsouth.net@spamgourmet.com>
wrote:
> flux.simicich@spamgourmet.com wrote:
>

> >Please explain why you would claim to be quoting your logs and not
> >give us the complete line from your logs, tell us which log, and
> >explain that the tail of your report was a web page and not from your
> >logs, if that is in fact the case?
> >
> >
> 218.10.111.119 - - [01/Nov/2007:01:57:44 -0500] "GET
> http://218.10.111.119/lbc.php HTTP/1.1" 404 269 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"

OK, he is probing you for an open proxy. He did it from the same
system that had the web page - so that, perhaps, he could see the exit
address of your potential proxy if it was not equal to the entry
address. The 404 indicates that you refused to give it to him.This is
the same error that is given for any unknown page. This is, from the
looks of it, a combined log which records all error and non error
access as well as referrer and browser strings. The 269 is the size of
your error page.  End of story. As to why the system is now flaky,
maybe that is a result of the crash, or maybe something has failed in
the hardware.

Sounds like you might have garbage in the cache or the cache index.  I
would certainly try to reset (clear) the cache and the index to the
cache. It will rebuild it as the stuff is accessed. I am not sure
which cache manager you are running, but I suspect that it can
probably start from an empty cache directory with more success than it
is now having. Check the instructions to be sure, there may be a
command to get it to clear its cache and index.

> 218.10.111.119 - - [01/Nov/2007:02:29:48 -0500] "GET
> http://218.10.111.119/lbc.php HTTP/1.1" 404 269 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"

Same thing.  Easier to diagnose with a complete log entry.

It is really doubtful that this access has anything to do with your
problem. If the same cracker continued to try to find a foothold and
found it somewhere else, then maybe he got in and that is the cause of
your problems. From this I can't tell. But it is very unlikely that
this 404 error compromised your system.

Was this the only server that crashed at the time?  What does the
syslog say, if anything?

And, since this is talk, how was Mexico and where did you go?

-- 
A man can't live in the everglades
Where a man can hide and never be found and have no fear of the bayin' hound
But he better keep movin' and don't stand still
If the skeeters don't get him then the gators will