[Logwatch] possible successful probe / null HTTP Response 200

Kit Gerrits kitgerrits at gmail.com
Thu Jun 21 10:28:41 MST 2007


I think the software assumes the log line is caused by a port scan or
something like it.
http://en.wikipedia.org/wiki/Port_scanner

If you're worried, take a good look at the logs from the Secure module.
  Lots of password failures are not the scary part. 
    Successful logins from unknown IPs are.


Regards,

Kit

> -----Original Message-----
> From: logwatch-bounces at logwatch.org 
> [mailto:logwatch-bounces at logwatch.org] On Behalf Of Andreas K. Huettel
> Sent: donderdag 21 juni 2007 15:05
> To: logwatch at logwatch.org
> Subject: [Logwatch] possible successful probe / null HTTP Response 200
> 
> 
> Dear List, 
> 
> today I found the following entry in my Logwatch report:
>  
>  --------------------- httpd Begin ------------------------ 
> 
>  
>  A total of 1 sites probed the server 
>     213.112.168.74
>  
>  !!!! 1 possible successful probes 
>     null HTTP Response 200 
>  
>  Requests with error response codes
> ...
> 
>  --------
> 
> Checking the httpd access_log file, I find the following two 
> lines, where the request seems to consist only of spaces:
> 
> 213.112.168.74 - - [20/Jun/2007:13:20:45 +0200] "             
>                              " 200 8754 "-" "-"
> 213.112.168.74 - - [20/Jun/2007:13:44:08 +0200] "             
>                              " 200 8754 "-" "-"
> 
> Is this something to worry about? Google / list archive do 
> not really provide useful information.
> 
> However, I can easily produce similar lines by telnetting to 
> the server on port 80, entering a lot of spaces and pressing enter...
> 
> Thanks for any clues,
> Andreas
> _______________________________________________
> Logwatch mailing list
> Logwatch at logwatch.org
> http://www2.list.logwatch.org:81/mailman/listinfo/logwatch
> 



More information about the Logwatch mailing list