Stonecold1995
February 5th, 2013, 07:37 AM
2013 Feb 04 21:16:37 Rule Id: 1002 level: 2
Location: kubuntu->ossec-keepalive
Src IP: : Ze@rIdr2kFxJ3ZK/EfQ2L66FATalB62[sHl0K*!UqbM)0-z/,^0+.A8#Br=2=TeXIqrBb]Dr,^Teo(QkkkNV;3B7_6*t7+&kfPLUKwuV-(5O$9GKeV$tGa[wze^%.(78gV%B,Q-A&e^fvp.aZt]DSN1%'NP1bT=&.+oxn6gs]!39.IrejmIjid=P/+k?IP^F(.k?m55hJCysz&7x5z!hwT[i?SVlru6iX?K^.*ZhZd%H).max=VbKPY=QnQ7IryN48w19tTyu Mwgs1*Qj$1Q'PgjlDPRi8/?9va10U68NP^oZi4q-zoxwuHHfEGngEmyZ1'7pZKlX7z4(D#O_]-TtDrKh(.Lcg(TWUPt@8#eKs%@eUt;.j'r[k1PKg[Mn#?
Unknown problem somewhere in the system.
** Alert 1360041661.120034: - web,accesslog,
2013 Feb 04 21:21:01 kubuntu->/var/log/apache2/access.log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 127.0.0.1
127.0.0.1 - - [04/Feb/2013:21:21:00 -0800] "GET /announce?peer_id=[removed]&port=6881&uploaded=0&downloaded=0&left=7864320&compact=1&numwant=200&key=[removed]&event=started&info_hash=[removed] HTTP/1.1" 404 489 "-" "KTorrent/4.3.0"
I'm not sure what this is, but this appeared in OSSEC's web interface. I cut off random parts of it in case it has any sensitive information. But why is the source IP a bunch of seemingly random symbols?
Also, in general OSSEC seems to be getting a LOT of errors, like many lines "Web server 400 error", etc, and Apache saying "common web attack" but from localhost.
Does anyone else here using OSSEC have this problems?
Location: kubuntu->ossec-keepalive
Src IP: : Ze@rIdr2kFxJ3ZK/EfQ2L66FATalB62[sHl0K*!UqbM)0-z/,^0+.A8#Br=2=TeXIqrBb]Dr,^Teo(QkkkNV;3B7_6*t7+&kfPLUKwuV-(5O$9GKeV$tGa[wze^%.(78gV%B,Q-A&e^fvp.aZt]DSN1%'NP1bT=&.+oxn6gs]!39.IrejmIjid=P/+k?IP^F(.k?m55hJCysz&7x5z!hwT[i?SVlru6iX?K^.*ZhZd%H).max=VbKPY=QnQ7IryN48w19tTyu Mwgs1*Qj$1Q'PgjlDPRi8/?9va10U68NP^oZi4q-zoxwuHHfEGngEmyZ1'7pZKlX7z4(D#O_]-TtDrKh(.Lcg(TWUPt@8#eKs%@eUt;.j'r[k1PKg[Mn#?
Unknown problem somewhere in the system.
** Alert 1360041661.120034: - web,accesslog,
2013 Feb 04 21:21:01 kubuntu->/var/log/apache2/access.log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 127.0.0.1
127.0.0.1 - - [04/Feb/2013:21:21:00 -0800] "GET /announce?peer_id=[removed]&port=6881&uploaded=0&downloaded=0&left=7864320&compact=1&numwant=200&key=[removed]&event=started&info_hash=[removed] HTTP/1.1" 404 489 "-" "KTorrent/4.3.0"
I'm not sure what this is, but this appeared in OSSEC's web interface. I cut off random parts of it in case it has any sensitive information. But why is the source IP a bunch of seemingly random symbols?
Also, in general OSSEC seems to be getting a LOT of errors, like many lines "Web server 400 error", etc, and Apache saying "common web attack" but from localhost.
Does anyone else here using OSSEC have this problems?