[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Repeated log entries for .cobalt/error/forbidden.html
- Subject: [cobalt-security] Repeated log entries for .cobalt/error/forbidden.html
- From: "Rick Ewart" <cobalt@xxxxxxxxx>
- Date: Sat, 9 Mar 2002 12:51:42 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hey All.
I am trying to figure out the following log message that keeps showing up in
my adm_access log file:
67.32.217.163 - - [09/Mar/2002:10:43:50 -0500] "GET
/.cobalt/error/forbidden.html HTTP/1.0" 200 653
67.32.217.163 - - [09/Mar/2002:10:43:51 -0500] "GET
/.cobalt/images/lock_warning HTTP/1.1" 200 1139
Lately I am getting them about one an hour, from a different IP address
everytime, but only from 1 or 2 dial-up accounts, including Bell South (this
one) and AOL. What I am trying to figure out is exactly what they are doing.
I have "grep"'d every one of the log files in /var/log and /var/log/httpd
with both the timeframe and the IP. Nothing shows up for that IP address,
and nothing looks wierd. I also looked at the various admin logs and they
look ok too.
Tripwire reports nothing unusual (nor has it in the past), the box is fully
patched (latest SSH too - thanks PKG masters), and I don't see any failed
PAM or other login attempts. Nobody but me has shell access and few people
access the box at all - all trusted. Oh - a RaQ4r.
At first I was thought it might be a brute force on my admin area. But now I
am getting the impression that this is just someone trying to hit a page in
the secure area as there are no failed logins - perhaps trying one of those
stupid "exploits" that were recently released? Script kiddies perhaps...
Any thoughts would be greatly appreciated.
Rick Ewart