I found the following entries in my Apache weblogs:
218.47.93.60 - - [20/Jul/2004:11:08:20 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
218.47.93.60 - - [20/Jul/2004:11:08:30 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
These look to me like attempts to hack the website because "POST" is not the normal way to access articles and there is no index page at the location sought by the individual.
I am also troubled by the "401 5402" which suggests they succeeded in getting a page with 5402 bytes. The actual page "34826.phtml" is not this specific size when transmitted.
Has anyone seen this? Is there a way to figures out if this resulted in an intrusion?
218.47.93.60 - - [20/Jul/2004:11:08:20 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
218.47.93.60 - - [20/Jul/2004:11:08:30 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
These look to me like attempts to hack the website because "POST" is not the normal way to access articles and there is no index page at the location sought by the individual.
I am also troubled by the "401 5402" which suggests they succeeded in getting a page with 5402 bytes. The actual page "34826.phtml" is not this specific size when transmitted.
Has anyone seen this? Is there a way to figures out if this resulted in an intrusion?