0

Below is a copy of a weird access log I found in my Apache logs folder:

127.0.0.1 - - [24/Oct/2010:13:49:45 +0200] "GET /x64 HTTP/1.1" 301 229
127.0.0.1 - - [24/Oct/2010:13:49:48 +0200] "GET /x64/ HTTP/1.1" 200 268
127.0.0.1 - - [24/Oct/2010:13:49:52 +0200] "GET /favicon.ico HTTP/1.1" 404 209
127.0.0.1 - - [24/Oct/2010:13:50:19 +0200] "GET /x64/www.blackdot.be/ HTTP/1.1" 302 208
127.0.0.1 - - [24/Oct/2010:13:50:28 +0200] "GET /favicon.ico HTTP/1.1" 404 209

Why is this even there? I've looked up 'www.blackdot.be' and it's some german site that I've never even seen before let alone ever tried to connect too!

Is this some security risk? -- FYI: I'm running WAMP v2.1e (32bit)

There's also a mod_jk log (I've never used this mod!!), which is clearly linked to the access log judging by the timestamps:

[Sun Oct 24 13:49:28.665 2010] [524:1060] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Sun Oct 24 13:49:29.008 2010] [524:1060] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Sun Oct 24 13:49:30.024 2010] [2676:1992] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Sun Oct 24 13:49:31.008 2010] [2676:1992] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized

Can anyone explain these logs to me please?

Note: I'm only using WAMP here as a local development server, it is not hosting any live sites and should have no live access!!

Chris
  • 135
  • 1
  • 8

2 Answers2

0

No it is not a security risk. The apache answers as expected that there are no such files.

But it can be a security hole indicator. I assume that the host is a Windows machine. Could it be that there is a Virus/Trojan on that machine that tries to connect everywhere? And by chance locates your server and is responsible for the log entries.

More to that. www.blackdot.be is a Belgian site offering custom compiled Apache binaries for x64 Windows machines. That is where you got your binaries from, right?

mailq
  • 17,023
  • 2
  • 37
  • 69
  • By the way: Why are these entries from October last year? – mailq Aug 02 '11 at 11:51
  • I have run full AV scans with AVG and MSE which haven't found anything. But I agree that it could point to a potential Trojan / Backdoor. As for the dates I'm not sure, I didn't install WAMP until this year! Could they be test logs from the machine that the WAMP package was compiled on? – Chris Aug 02 '11 at 12:00
  • So IF your clock is set to the current date, and IF you see no current log entries, then they are too old to care about. You last assumption is true then. – mailq Aug 02 '11 at 12:16
0
  1. Your firewall is not doing its job.
  2. if you don't use Apache httpd with Tomcat you can safely disable the mod_jk
  3. Don't run production systems on WAMP package, configure all the software manually. There are hardly any security measures enabled in it by default.
Hubert Kario
  • 6,361
  • 6
  • 36
  • 65
  • I'm not running a production environment, this is just a development server running on my Windows7 desktop at work. But I appreciate the good advice. – Chris Aug 02 '11 at 12:02