HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   Localhost lookups in system log (http://www.howtoforge.com/forums/showthread.php?t=47715)

kieron 3rd August 2010 02:06

Localhost lookups in system log
 
Hi
I have noticed a lot of localhost lookups mainly pointing to PHPMyAdmin but this week i have also noticed lookups with the server external IP.
Not to sure why this is happening an explanation would help here if possible thx in advance

localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:48:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:53:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:58:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:03:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:08:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:13:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:18:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:23:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:28:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:33:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:38:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:43:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:48:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:53:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"

Im not sure how to stop my own ip for server from doing this and whether it is a problem to be worried about.
The Server Ip localhost lookups are not recorded in the apache error logs.


But all of this type are recorded in apache error logs

localhost||||399||||210.83.230.158 - - [02/Aug/2010:22:22:11 +0100] "GET /nosuichfile.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||406||||210.83.230.158 - - [02/Aug/2010:22:22:12 +0100] "GET /noxdir/nosuichfile.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||405||||210.83.230.158 - - [02/Aug/2010:22:22:12 +0100] "GET /PMA/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||409||||210.83.230.158 - - [02/Aug/2010:22:22:12 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||413||||210.83.230.158 - - [02/Aug/2010:22:22:13 +0100] "GET /admin/mysql/scripts/setup.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||418||||210.83.230.158 - - [02/Aug/2010:22:22:13 +0100] "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 418 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||411||||210.83.230.158 - - [02/Aug/2010:22:22:13 +0100] "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 411 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||407||||210.83.230.158 - - [02/Aug/2010:22:22:14 +0100] "GET /admin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||404||||210.83.230.158 - - [02/Aug/2010:22:22:14 +0100] "GET /db/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||409||||210.83.230.158 - - [02/Aug/2010:22:22:14 +0100] "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||409||||210.83.230.158 - - [02/Aug/2010:22:22:15 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||413||||210.83.230.158 - - [02/Aug/2010:22:22:15 +0100] "GET /mysql-admin/scripts/setup.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||407||||210.83.230.158 - - [02/Aug/2010:22:22:15 +0100] "GET /mysql/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||412||||210.83.230.158 - - [02/Aug/2010:22:22:16 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 412 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||414||||210.83.230.158 - - [02/Aug/2010:22:22:16 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 414 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||407||||210.83.230.158 - - [02/Aug/2010:22:22:16 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||407||||210.83.230.158 - - [02/Aug/2010:22:22:17 +0100] "GET /pHpMy/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||412||||210.83.230.158 - - [02/Aug/2010:22:22:17 +0100] "GET /pHpMyAdMiN/scripts/setup.php HTTP/1.1" 404 412 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||414||||210.83.230.158 - - [02/Aug/2010:22:22:17 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 414 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||413||||210.83.230.158 - - [02/Aug/2010:22:22:18 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||408||||210.83.230.158 - - [02/Aug/2010:22:22:18 +0100] "GET /phpMyA/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||411||||210.83.230.158 - - [02/Aug/2010:22:22:18 +0100] "GET /phpMyAdmi/scripts/setup.php HTTP/1.1" 404 411 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||419||||210.83.230.158 - - [02/Aug/2010:22:22:19 +0100] "GET /phpMyAdmin-2.10.0/scripts/setup.php HTTP/1.1" 404 419 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||419||||210.83.230.158 - - [02/Aug/2010:22:22:19 +0100] "GET /phpMyAdmin-2.11.1/scripts/setup.php HTTP/1.1" 404 419 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
localhost||||420||||210.83.230.158 - - [02/Aug/2010:22:22:19 +0100] "GET /phpMyAdmin-2.11.10/scripts/setup.php HTTP/1.1" 404 420 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"

falko 3rd August 2010 18:13

I guess someone is trying to scan your server to find a vulnerability. You can block that IP as follows: http://www.howtoforge.com/forums/sho...42&postcount=4

kieron 3rd August 2010 18:29

Localhost lookups in system log
 
Hi
Thanks for your reply i have blocked the ips of the scanners but it is these which are the ip of my server that i was worried about.

localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:48:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:53:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:05:58:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:03:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:08:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:13:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:18:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:23:42 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"
localhost||||1155||||87.194.131.22 - - [03/Aug/2010:06:28:41 +0100] "GET / HTTP/1.1" 200 1155 "-" "-"

or are these normal, i have not seen them before untill this week

Kieron

falko 4th August 2010 17:25

Is 87.194.131.22 an IP address you know? Is it the server's IP?

kieron 4th August 2010 20:45

Hi

No sorry this ip is my external ip from isp not my server internal ip.

I have disabled nat loopback on router and they have stopped so i will leave it like that for now.

# nat loopback (access external IP from inside):

ip config natloopback=disabled

Thx again for your reply


All times are GMT +2. The time now is 04:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.