Apache (XAMPP 1.8.0) access.log/Intrusion Detection Concern
Posted
by
Andy Holaday
on Pro Webmasters
See other posts from Pro Webmasters
or by Andy Holaday
Published on 2012-06-27T00:05:15Z
Indexed on
2012/06/27
3:23 UTC
Read the original article
Hit count: 401
[I originally posted on SO but it earned me a Tumbleweed badge. This looks like a better venue for the question.]
I have Apache (XAMPP 1.8.0) running on Vista Pro x64. A couple times now I have seen a pattern like the example below in access.log. Concerning is the "attack" seems to somehow shift from a public IP to a valid private IP on my network (happens to be the WAN address of one of my routers).
Two questions: How is this possible, and what happens if the "attacker" stumbles on a valid request?
I've googled this to no avail.
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 403
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 403
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 403
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 403
192.168.15.3 - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 403
177.0.X.X - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 403
177.0.X.X - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 403
192.168.15.3 - - [03/Jun/2012:08:19:59 -0400] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 403
192.168.15.3 - - [03/Jun/2012:08:20:01 -0400] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 403
192.168.15.3 - - [03/Jun/2012:08:20:02 -0400] "GET HTTP/1.1" 400 1060 "-" "-"
© Pro Webmasters or respective owner
