Topic: httpd Error logs filling up with hack attempts?

[Cyrus Bharda]

Howdy all, well I was having a look through some httpd logs and found something that has scared me:

httpd/admin_error_log

[Tue Jan 28 12:41:41 2003] navigation: Use of uninitialized value in subroutine entry at /usr/lib/perl5/site_perl/5.6.0/i386-linux/XML/Parser/Expat.pm line 474.
[Tue Jan 28 12:41:41 2003] navigation: Use of uninitialized value in print at /usr/lib/perl5/site_perl/5.6.1/CGI/FormMagick/Setup.pm line 174.
[Tue Jan 28 12:41:41 2003] navigation: Use of uninitialized value in substitution (s///) at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 246,  line 120.
[Tue Jan 28 12:41:42 2003] navigation: Use of uninitialized value in subroutine entry at /usr/lib/perl5/site_perl/5.6.0/i386-linux/XML/Parser/Expat.pm line 474.
[Tue Jan 28 12:41:42 2003] navigation: Use of uninitialized value in print at /usr/lib/perl5/site_perl/5.6.1/CGI/FormMagick/Setup.pm line 174.
[Tue Jan 28 12:41:43 2003] navigation: Use of uninitialized value in substitution (s///) at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 246,  line 128.
[Tue Jan 28 12:41:43 2003] navigation: Use of uninitialized value in subroutine entry at /usr/lib/perl5/site_perl/5.6.0/i386-linux/XML/Parser/Expat.pm line 474.
[Tue Jan 28 12:41:43 2003] navigation: Use of uninitialized value in print at /usr/lib/perl5/site_perl/5.6.1/CGI/FormMagick/Setup.pm line 174.
Variable "@logfiles" will not stay shared at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 134.
Variable "@logfiles" will not stay shared at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 134.



httpd/error_log

[Wed Jan 22 01:12:28 2003] [notice] Apache configured -- resuming normal operations
[Wed Jan 22 01:12:28 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 22 01:12:28 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed Jan 22 11:22:07 2003] [error] [client 218.103.38.170] File does not exist: /home/e-smith/files/primary/html/sumthin

[Fri Jan 24 05:20:56 2003] [error] mod_ssl: SSL handshake timed out (client 211.23.16.92, server www.mydomain.com:443)

[Mon Jan 27 03:42:46 2003] [error] [client 80.15.245.12] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Jan 27 03:43:17 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[Mon Jan 27 03:43:17 2003] [error] System: Permission denied (errno: 13)
[Mon Jan 27 03:43:21 2003] [error] mod_ssl: SSL handshake failed (server www.mydomain.com:443, client 80.15.245.12) (OpenSSL library error follows)
[Mon Jan 27 03:43:21 2003] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143)
[Tue Jan 28 04:02:56 2003] [error] [client 202.161.135.5] File does not exist: /home/e-smith/files/primary/html/sumthin
[Tue Jan 28 12:34:01 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[Tue Jan 28 12:34:01 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:03 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for scanning (System error follows)
[Tue Jan 28 12:34:03 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:03 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for reading (fetch) (System error follows)
[Tue Jan 28 12:34:03 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:03 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[Tue Jan 28 12:34:03 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:05 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for scanning (System error follows)
[Tue Jan 28 12:34:05 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:05 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for reading (fetch) (System error follows)
[Tue Jan 28 12:34:05 2003] [error] System: Permission denied (errno: 13)
[Tue Jan 28 12:34:05 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[Tue Jan 28 12:34:05 2003] [error] System: Permission denied (errno: 13)



httpd/ssl_engine_log

[24/Jan/2003 15:27:03 01139] [info]  Init: Configuring server www.mydomain.com:443 for SSL protocol
[24/Jan/2003 15:27:03 01139] [warn]  Init: (www.mydomain.com:443) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[24/Jan/2003 15:27:03 01139] [warn]  Init: (www.mydomain.com:443) RSA server certificate CommonName (CN) langs.net.au' does NOT match server name!?
[26/Jan/2003 15:01:48 01151] [info]  Connection to child 9 established (server www.mydomain.com:443, client 206.159.117.131)
[26/Jan/2003 15:01:48 01151] [info]  Seeding PRNG with 1160 bytes of entropy
[26/Jan/2003 15:01:48 01151] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:42:48 01144] [info]  Connection to child 2 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:48 01144] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:49 01145] [info]  Connection to child 3 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:49 01145] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:50 01146] [info]  Connection to child 4 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:50 01146] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:51 01147] [info]  Connection to child 5 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:51 01147] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:53 01148] [info]  Connection to child 6 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:53 01148] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:57 01151] [info]  Connection to child 9 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:57 01151] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:58 01150] [info]  Connection to child 8 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:58 01150] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:42:59 01149] [info]  Connection to child 7 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:42:59 01149] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:03 01143] [info]  Connection to child 1 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:03 01143] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:04 30086] [info]  Connection to child 10 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:04 30086] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:05 30087] [info]  Connection to child 11 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:05 30087] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:07 30088] [info]  Connection to child 12 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:07 30088] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:08 30089] [info]  Connection to child 13 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:08 30089] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:09 30090] [info]  Connection to child 14 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:09 30090] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:11 30091] [info]  Connection to child 15 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:11 30091] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:12 30092] [info]  Connection to child 16 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:12 30092] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:13 01142] [info]  Connection to child 0 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:13 01142] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:14 30116] [info]  Connection to child 17 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:14 30116] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:15 30117] [info]  Connection to child 18 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:15 30117] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Jan/2003 03:43:17 30116] [error] Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[27/Jan/2003 03:43:17 30116] [error] System: Permission denied (errno: 13)
[27/Jan/2003 03:43:17 30116] [info]  Connection: Client IP: 80.15.245.12, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[27/Jan/2003 03:43:21 30117] [error] SSL handshake failed (server www.mydomain.com:443, client 80.15.245.12) (OpenSSL library error follows)
[27/Jan/2003 03:43:21 30117] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143)
[27/Jan/2003 03:43:25 01146] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:25 01151] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:29 30116] [info]  Connection to child 17 closed with standard shutdown (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:30 01148] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30086] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01149] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01143] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30089] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30090] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30092] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30088] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01142] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01144] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01147] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 01150] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30087] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[27/Jan/2003 03:43:30 30118] [info]  Connection to child 19 established (server www.mydomain.com:443, client 80.15.245.12)
[27/Jan/2003 03:43:30 30118] [info]  Seeding PRNG with 1160 bytes of entropy


 
I have no idea what these mean or if they are related together, I also see a lot of nimda attacks, but not from that same IP 80.15.245.12

So do I need to be worried?