Apache (XAMPP 1.8.0) access.log/Intrusion Detection Concern

Posted by Andy Holaday on Pro Webmasters See other posts from Pro Webmasters or by Andy Holaday
Published on 2012-06-27T00:05:15Z Indexed on 2012/06/27 3:23 UTC
Read the original article Hit count: 426

Filed under:
|
|

[I originally posted on SO but it earned me a Tumbleweed badge. This looks like a better venue for the question.]

I have Apache (XAMPP 1.8.0) running on Vista Pro x64. A couple times now I have seen a pattern like the example below in access.log. Concerning is the "attack" seems to somehow shift from a public IP to a valid private IP on my network (happens to be the WAN address of one of my routers).

Two questions: How is this possible, and what happens if the "attacker" stumbles on a valid request?

I've googled this to no avail.

177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 403 
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 403 
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 403 
177.0.X.X - - [03/Jun/2012:08:19:34 -0400] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 403 
192.168.15.3 - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 403 
177.0.X.X - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 403 
177.0.X.X - - [03/Jun/2012:08:19:56 -0400] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 403 
192.168.15.3 - - [03/Jun/2012:08:19:59 -0400] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 403 
192.168.15.3 - - [03/Jun/2012:08:20:01 -0400] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 403 
192.168.15.3 - - [03/Jun/2012:08:20:02 -0400] "GET  HTTP/1.1" 400 1060 "-" "-"

© Pro Webmasters or respective owner

Related posts about apache

Related posts about logging