1
68.96.87.214 - - [07/Aug/2013:21:29:25 +0000] "GET /HNAP1/ HTTP/1.1" 403 501 "*************" "Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]"
177.47.105.41 - - [07/Aug/2013:21:57:26 +0000] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 403 476 "-" "-"
193.111.139.189 - - [08/Aug/2013:00:33:26 +0000] "GET /oly/hello.php?i=list&b=oly_living HTTP/1.1" 403 497 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0);(b:2600;c:INT-3360;l:09)"
176.61.139.107 - - [08/Aug/2013:03:57:55 +0000] "GET http://37.28.156.211/sprawdza.php HTTP/1.1" 403 533 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
54.227.95.204 - - [08/Aug/2013:11:44:16 +0000] "HEAD / HTTP/1.1" 403 182 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"

This came out of apache2 access_log. I do not know what to make of this. Should I be concerned?

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
Gasim
  • 977
  • 4
  • 14
  • 23

1 Answers1

1

Yes, probably. That long string of data is an encoded URL. I decoded it for you at; http://meyerweb.com/eric/tools/dencoder/.

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

Are you running Plesk?

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • no im stopping my server completely for this. – Gasim Aug 08 '13 at 18:39
  • i am not using plesk but going to download it right now for future. What should I do about the problem i have right now? Any sort of advice would be appreciated. – Gasim Aug 08 '13 at 18:41
  • If you aren't running Plesk, don't worry about it. It was a drive-by check to see if your server was vulnerable. Your server responded with 403, anyway. (Forbidden) – Aaron Copley Aug 08 '13 at 18:42
  • Why would you download Plesk now? For the future? Do you know what it is? – Aaron Copley Aug 08 '13 at 18:42
  • omg im stupid. I just read about it. i just freaked out that this got into my access.log and i thought they got something out of my webserver. – Gasim Aug 08 '13 at 18:45
  • can you tell me whats the number 476, 497, 533, and 182. I just want to know did they receive anything about my server? – Gasim Aug 08 '13 at 18:54
  • [Size of the response.](http://httpd.apache.org/docs/2.0/logs.html) You can make the same request they did to see how it responds. – Aaron Copley Aug 08 '13 at 19:02
  • alright. I realized that the response are all the same about 403s. they get information plus their length of the response and browser info. – Gasim Aug 08 '13 at 20:05