Strange domlogs files for apache?
Are these hack attempts? For example, normal files look like:
-rw-r----- 2 root valery 340K Jan 11 11:39 albrighttrail.com.valery.e....ca
-rw-r----- 1 root root 858 Jan 11 11:39 albrighttrail.com.valery.e...a-bytes_log
-rw-r----- 2 root valery 177K Jan 11 11:39 albrighttrail.com.valery.....ca-ssl_log
-rw-r----- 2 root scottg 416K Jan 11 08:35 altutadesign.com.scott...osting.ca
-rw-r----- 1 root root 1.3K Jan 11 11:39 altutadesign.com.scott...ing.ca-bytes_log
-rw-r----- 2 root scottg 2.4M Jan 11 11:39 altutadesign.com.scott...sting.ca-ssl_log
Yet I got like hundreds :
-rw-r----- 1 root root 3.7K Nov 26 10:07 perenni2525252525...52525252525252525252525252525253Bfindplant
-rw-r----- 1 root root 2.4K Nov 26 09:42 perenni.36
-rw-r----- 1 root root 2.7K Nov 26 09:42 perenni36
-rw-r----- 1 root root 2.2K Nov 26 09:42 perenni37.36
and the like. Any idea how these files are created and why?
-
The content of the files is like log overflow:
OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/21G93 Instagram 344.0.9.27.90 (iPhone16,1; iOS 17_6_1; en_CA; en-CA; scale=3.00; 1179x2556; 631222391; IABMV/1)"
OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1"0 -
Hey there! I can't say that I've seen username.## files in the access logs before, so I can't say for sure what those may be. The tool that we run automatically when we log in to servers in our ticket system attempts to detect many common intrusions if you wanted to try running that:
curl -s https://ssp.cpanel.net/run| sh0
Please sign in to leave a comment.
Comments
2 comments