Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the possible ^null$ exploit reported by LogWatch?

LogWatch is a nice tool that provides daily reports on linux log files. It includes several information summaries, like traffic, users who logged in, who used sudo, relevant kernel messages, IPs that probed the server, search engines that probed your apache, etc...

One section includes IP addresses that used known exploits attempts to hack your server. They didn't necessarily succeed, but they are listed in the report anyway for knowledge. This is what it looks like.

Attempts to use known hacks by 4 hosts were logged 4 time(s) from:
   187.13.156.179: 1 Time(s)
      ^null$ 1 Time(s) 
   187.60.121.62: 1 Time(s)
      ^null$ 1 Time(s) 
   189.123.240.18: 1 Time(s)
      ^null$ 1 Time(s) 
   189.70.214.124: 1 Time(s)
      ^null$ 1 Time(s) 

My question is what exactly is this ^null$ attack? I've tried googling this, but nothing relevant seems to show up.

like image 824
JulioHM Avatar asked Apr 06 '13 14:04

JulioHM


People also ask

What is logwatch?

Logwatch is a powerful and versatile log parser and analyzer. Logwatch is designed to give a unified report of all activity on a server, which can be delivered through the command line or email. Install logwatch .

What are the different areas of configuration for logwatch?

Within these directories, there are several areas of configuration. The logwatch. conf files are where most of the high-level settings are, which allow you to set where your reports are sent, how they are formatted, etc. The conf file at /usr/share/logwatch/default. conf/logwatch. conf contains all the default settings and comments on what they do.

Why can’t I view systemd journal in logwatch?

Older versions of Logwatch do not support querying the systemd journal directly. For this reason, a logger like syslog-ng is required to duplicate the journal output into external log files (such as in /var/log). A patch is under development to support the systemd journal.

How can I get logwatch messages delivered by email?

Note that if you want logwatch messages delivered by email, you need to install a package that provides a sendmail frontend. Postfix is a good choice.


3 Answers

This is usually not something to worry about - it isn't necessarily an actual attack. The ^null$ "attack" is simply a client connection terminating without sending any HTTP request (i.e. a connection is established to your web server, but no request is received).

If you had multiple attempts on your server from a single IP, or many ^null$ entries per IP, then you may have evidence of a concerted attempt. As it is, I would suggest you can safely ignore the example log you've given above.

like image 110
Colonel Panic Avatar answered Nov 16 '22 02:11

Colonel Panic


It's interesting to note that Heartbleed probing translates into such warnings from LogWatch:

Attempts to use known hacks by 1 hosts were logged 1 time(s) from: 54.82.203.167: 1 Time(s) ^null$ 1 Time(s)

The corresponding Apache SSL log entry is:

XXXXXX:443 54.82.203.167 - - [10/Apr/2014:00:19:45 +0200] "quit" 301 1313 "-" "-"

(using http://filippo.io/Heartbleed/)

like image 25
2072 Avatar answered Nov 16 '22 02:11

2072


Several types of monitoring services will make this go off as well; for example uptimerobot.com:

Attempts to use known hacks by 10 hosts were logged 107 time(s) from: 74.86.158.106: 91 Time(s) ^null$ 91 Time(s)

74.86.158.106 - - [09/Feb/2015:01:09:54 -0500] "GET / HTTP/1.1" 200 17896 "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"

74.86.158.106 - - [09/Feb/2015:01:10:47 -0500] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"

Certain types of failover applications would likely set it off as well, like heartbeat and ldirectord (depending on their configuration).

like image 30
Josh Wieder Avatar answered Nov 16 '22 01:11

Josh Wieder