[CentOS] Interpreting logwatch

Wed Sep 8 12:42:39 UTC 2010
Giles Coochey <giles at coochey.net>

> 
> Every few days I see in the logwatch on my Centos-5.5 web-server what
seems
> like a rather feeble break-in attempt.
> Eg today I see
> ---------------------------
>     403 Forbidden
>        /phpMyAdmin/scripts/setup.php: 2 Time(s)
>        /phpmyadmin/scripts/setup.php: 2 Time(s)
>     404 Not Found
>        /PMA2005/scripts/setup.php: 1 Time(s)
>        /TRAD_files/datestamp.js: 1 Time(s) ...
> ---------------------------
> followed by dozens of similar lines.
> 
> As far as I can see, the IP of the person making the attempt (if there was
> an attempt) is not given.
> 
> I'm not at all sure what if anything I should do about this.
> 

Logwatch is just an automated tool that runs a few checks on your log files.
The source IP is in your apache log files.

If you are concerned, you should check your log files to check for that IP
and then run a check on whether that IP appears elsewhere in any of your
logfiles.

The likelihood is that someone ran a vulnerability scanner against all your
available services, logwatch found evidence of that vulnerability scan, and
you should check whether any other vulnerabilities were scanned for and
perhaps found...

To do that you should manually check your log files or use a better tool.