9

LogWatch is a nice tool that provides daily reports on linux log files. It includes several information summaries, like traffic, users who logged in, who used sudo, relevant kernel messages, IPs that probed the server, search engines that probed your apache, etc...

One section includes IP addresses that used known exploits attempts to hack your server. They didn't necessarily succeed, but they are listed in the report anyway for knowledge. This is what it looks like.

Attempts to use known hacks by 4 hosts were logged 4 time(s) from:
   187.13.156.179: 1 Time(s)
      ^null$ 1 Time(s) 
   187.60.121.62: 1 Time(s)
      ^null$ 1 Time(s) 
   189.123.240.18: 1 Time(s)
      ^null$ 1 Time(s) 
   189.70.214.124: 1 Time(s)
      ^null$ 1 Time(s)

My question is what exactly is this ^null$ attack? I've tried googling this, but nothing relevant seems to show up.

bahrep
  • 29,961
  • 12
  • 103
  • 150
JulioHM
  • 1,229
  • 1
  • 10
  • 17
  • 1
    Have you figured this out yet? I am having the same issue. Im having 200+ attempts every day. Noticed this after i installed logwatch. I have also installed fail2ban and my ssh is on a random port too.. I am not finding anywhere what sort of attack this is. Please help – Yashvit May 05 '13 at 15:27
  • Not yet. I [posted a question on their help forum](http://sourceforge.net/projects/logwatch/forums/forum/1115929/topic/8164121), but no one has given any response to it. Still waiting. – JulioHM May 16 '13 at 16:08
  • ^ would mean beginning of line and $ would mean end of line if we are talking about a regex. Perhaps it means that the attacker is just sending 1 single null character. What log is this appearing in? Does it tell you what service it triggered from? – cogsmos May 17 '13 at 03:48
  • It shows up in the httpd report section. So I'm pretty sure it's analyzing apache logs to find these. I've searched through apache logs myself, but I can't find any references to a "null" string. But you are right, this definitely looks like a regexp attack of some sort. – JulioHM Jun 01 '13 at 17:56
  • So, to answer Yash above here. The [Logwatch forum](http://sourceforge.net/projects/logwatch/forums/forum/1115929/topic/8164121) has answered the question referring to a wikipedia article that might help. – JulioHM Jun 01 '13 at 18:02

3 Answers3

5

This is usually not something to worry about - it isn't necessarily an actual attack. The ^null$ "attack" is simply a client connection terminating without sending any HTTP request (i.e. a connection is established to your web server, but no request is received).

If you had multiple attempts on your server from a single IP, or many ^null$ entries per IP, then you may have evidence of a concerted attempt. As it is, I would suggest you can safely ignore the example log you've given above.

Colonel Panic
  • 929
  • 8
  • 15
  • Would that be the same a syn sweep? Could be tested easily with netcat: nc -zvw5 hostname 80 – cogsmos May 19 '13 at 05:08
  • A syn sweep could be responsible for the warning, but it is not the only explanation. If this is a concern, I would suggest installing a more full-featured Intrusion Detection System; this would likely catch a proper syn sweep, as well as being able to detect subsequent actions taken against the server. – Colonel Panic May 19 '13 at 21:04
  • I was just wondering for my own curiosity. If that is the case then the netcat command I provided would output that log message. – cogsmos May 20 '13 at 15:23
  • The report always includes half a dozen, or a dozen tops, every day. So I guess there's nothing to worry about. Thanks for the reply! On a side note, I had a question posted to the [Logwatch Help forum](http://sourceforge.net/projects/logwatch/forums/forum/1115929/topic/8164121) and they referred to a [wikipedia article](http://hakipedia.com/index.php/Poison_Null_Byte#Perl_PHP_Null_Byte_Injection) that might give more details about similar attacks. – JulioHM Jun 01 '13 at 18:00
5

It's interesting to note that Heartbleed probing translates into such warnings from LogWatch:

Attempts to use known hacks by 1 hosts were logged 1 time(s) from: 54.82.203.167: 1 Time(s) ^null$ 1 Time(s)

The corresponding Apache SSL log entry is:

XXXXXX:443 54.82.203.167 - - [10/Apr/2014:00:19:45 +0200] "quit" 301 1313 "-" "-"

(using http://filippo.io/Heartbleed/)

2072
  • 275
  • 3
  • 6
1

Several types of monitoring services will make this go off as well; for example uptimerobot.com:

Attempts to use known hacks by 10 hosts were logged 107 time(s) from: 74.86.158.106: 91 Time(s) ^null$ 91 Time(s)

74.86.158.106 - - [09/Feb/2015:01:09:54 -0500] "GET / HTTP/1.1" 200 17896 "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"

74.86.158.106 - - [09/Feb/2015:01:10:47 -0500] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"

Certain types of failover applications would likely set it off as well, like heartbeat and ldirectord (depending on their configuration).

Josh Wieder
  • 186
  • 6