Topic: httpd access_log query

[fixit]

can someone tell me what this means, does this mean that someone from this ip address logged into my server

fixitcomputers.com.au 217.20.215.115 - - [28/Oct/2005:00:59:14 +1000] "CONNECT login.icq.com:443 HTTP/1.0" 405 234 "-" "Mozilla/4.08 [en] (WinNT; U ;Nav)"


this ip 217.20.215.115 points to somewhere in the Russian Federation

I went to http://www.dnsstuff.com/ and did a WHOIS results for 217.20.215.115

any info about this msg, would be appreciated

Thanks,Russell

[CharlieBrady]

can someone tell me what this means, does this mean that someone from this ip address logged into my server

fixitcomputers.com.au 217.20.215.115 - - [28/Oct/2005:00:59:14 +1000] "CONNECT login.icq.com:443 HTTP/1.0" 405 234 "-" "Mozilla/4.08 [en] (WinNT; U ;Nav)"

This means that someone asked your web server to patch through a connection to login.icq.co:443 and it refused (405 - "Method Not Allowed").

Google for "login.icq.co:443" and you'll see that you're not the only one to receive this attention (which is probably from IM spammers trying to hide their origin).

[fixit]

Hi Charlie, thanks for the reply, I have had a look around @ google as suggested and some interesting stuff about IM's, I know why my firewall would always shutdown internet access when this triggered.

Hows that issue with CentOS going, I wonder how long they will use 4.2 for

Thanks, Russell

[CharlieBrady]

Hi Charlie, thanks for the reply, I have had a look around @ google as suggested and some interesting stuff about IM's, I know why my firewall would always shutdown internet access when this triggered.

Why does your firewall shutdown internet access? That sounds like an obvious denial of service attack you have opened yourself up to.

Hows that issue with CentOS going, I wonder how long they will use 4.2 for

What issue with CentOS? Who is "they"?

[fixit]

OK, I have another query, why would someone be trying to find these files on my server

scripts
MSADC
c
d
scripts
_vti_bin
_mem_bin
sumthin

61.253.58.70 dnsstuff.com shows Location: Korea-KR [City: Seoul, Kyonggi-Do]

is this the result of the Nimda worm


[Tue Nov 01 20:06:13 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:14 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/MSADC
[Tue Nov 01 20:06:15 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/c
[Tue Nov 01 20:06:16 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/d
[Tue Nov 01 20:06:16 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:17 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/_vti_bin
[Tue Nov 01 20:06:18 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/_mem_bin
[Tue Nov 01 20:06:18 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/msadc
[Tue Nov 01 20:06:19 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:20 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:21 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:23 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 20:06:27 2005] [error] [client 61.253.58.70] File does not exist: /home/e-smith/files/ibays/Primary/html/scripts
[Tue Nov 01 21:42:28 2005] [error] [client 218.202.219.193] File does not exist: /home/e-smith/files/ibays/Primary/html/sumthin