LogWatch is a nice tool that provides daily reports on linux log files. It includes several information summaries, like traffic, users who logged in, who used sudo, relevant kernel messages, IPs that probed the server, search engines that probed your apache, etc...
One section includes IP addresses that used known exploits attempts to hack your server. They didn't necessarily succeed, but they are listed in the report anyway for knowledge. This is what it looks like.
Attempts to use known hacks by 4 hosts were logged 4 time(s) from:
187.13.156.179: 1 Time(s)
^null$ 1 Time(s)
187.60.121.62: 1 Time(s)
^null$ 1 Time(s)
189.123.240.18: 1 Time(s)
^null$ 1 Time(s)
189.70.214.124: 1 Time(s)
^null$ 1 Time(s)
My question is what exactly is this ^null$
attack? I've tried googling this, but nothing relevant seems to show up.
Logwatch is a powerful and versatile log parser and analyzer. Logwatch is designed to give a unified report of all activity on a server, which can be delivered through the command line or email. Install logwatch .
Within these directories, there are several areas of configuration. The logwatch. conf files are where most of the high-level settings are, which allow you to set where your reports are sent, how they are formatted, etc. The conf file at /usr/share/logwatch/default. conf/logwatch. conf contains all the default settings and comments on what they do.
Older versions of Logwatch do not support querying the systemd journal directly. For this reason, a logger like syslog-ng is required to duplicate the journal output into external log files (such as in /var/log). A patch is under development to support the systemd journal.
Note that if you want logwatch messages delivered by email, you need to install a package that provides a sendmail frontend. Postfix is a good choice.
This is usually not something to worry about - it isn't necessarily an actual attack. The ^null$
"attack" is simply a client connection terminating without sending any HTTP request (i.e. a connection is established to your web server, but no request is received).
If you had multiple attempts on your server from a single IP, or many ^null$
entries per IP, then you may have evidence of a concerted attempt. As it is, I would suggest you can safely ignore the example log you've given above.
It's interesting to note that Heartbleed probing translates into such warnings from LogWatch:
Attempts to use known hacks by 1 hosts were logged 1 time(s) from:
54.82.203.167: 1 Time(s)
^null$ 1 Time(s)
The corresponding Apache SSL log entry is:
XXXXXX:443 54.82.203.167 - - [10/Apr/2014:00:19:45 +0200] "quit" 301 1313 "-" "-"
(using http://filippo.io/Heartbleed/)
Several types of monitoring services will make this go off as well; for example uptimerobot.com:
Attempts to use known hacks by 10 hosts were logged 107 time(s) from: 74.86.158.106: 91 Time(s) ^null$ 91 Time(s)
74.86.158.106 - - [09/Feb/2015:01:09:54 -0500] "GET / HTTP/1.1" 200 17896 "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
74.86.158.106 - - [09/Feb/2015:01:10:47 -0500] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
Certain types of failover applications would likely set it off as well, like heartbeat and ldirectord (depending on their configuration).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With