«BillGates» Linux Botnet — откуда же он взялся?

в 9:44, , рубрики: linux, информационная безопасность, метки: ,

image

Буквально вчера читал статью ValdikSS «Linux Botnet «BillGates»» и после прочтения захотелось рассказать, откуда он взялся.

Отступление

На днях начальница пригнала своего сынишку поучиться уму-разуму, а так как дарование впервые видит серверную ОС, то решение учить пацана выпало на старый ubunt-овский сервер с LAMP-ом на борту (Linux + Apache + MySQL + PHP). Благо на нем тестируют проекты перед показом в свет.

После вводных лекций и кучи выданной макулатуры на сервере был создан новый недо юзер, который благополучно был добавлен к зоопарку SSH, и присвоен стандартный пароль в виде «Thispasswordiscrypt». В процессе обучения недоюзеру надоело вводить длинный пароль и он без ведома сменил его на «fack_off». В то время мы проходили бэкапы БД и выборочно сервера, но по каким-то богу известным причинам под его учеткой не завелось восстановление БД. Не сильно парясь, я добавил ему повышенные привилегии. Теперь все ОК, начальница в ажуре. Так как мама рядом, и курить нельзя, то на перекур хожу только я, а он грызет гранит науки.

Кульминация

На следующий день от планктона пошли заявки о медленно работающем, а то и совсем не работающем интернете. Перерыл все, но проблему так и не нашел. Поскольку тестировщики гоняли тесты на злополучном сервере, я не заметил процесс, пожирающий свободный ресурс. Ближе к вечеру, а именно обедом, когда все в прострации и ничего не делают, все таки заметил причину падения всемирно-глобальной сети под название Интернет.

Первым, что было сделано, так это проверен входящий и исходящий трафик.

Vnstat показал исходящий трафик, по часовом фильтре, 32GB в час. В общем 450 GB, начиная с 19.00 вчерашнего дня и до 12.30 сегодняшнего.

При отключении интернета падал и прожорливый процесс, но при включении все возвращалось на места. С помощью neststat -A inet -n -p был выявлен процесс, генерирующий исходящий траффик, им оказался Apache2. При его отключении трафик падал на 0, при включении весь канал опять был забит.

Логи access.log гласят следующее (очень много):

access.log

127.0.0.1 — - [25/Feb/2014:19:32:41 +0200] «GET / HTTP/1.1» 200 724 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:43 +0200] «GET /vnstat/ HTTP/1.1» 200 1464 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:46 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1676 «localhost/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:46 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:49 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=d HTTP/1.1» 200 1803 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:49 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=d&style=dark HTTP/1.1» 200 40470 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:52 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1676 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:32:52 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:20 +0200] «GET /vnstat/index.php?if=eth1&graph=large&style=dark&page=s HTTP/1.1» 200 1463 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:24 +0200] «GET /vnstat/index.php?if=eth1&graph=large&style=dark&page=d HTTP/1.1» 200 1804 «localhost/vnstat/index.php?if=eth1&graph=large&style=dark&page=s» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:24 +0200] «GET /vnstat/graph_svg.php?if=eth1&page=d&style=dark HTTP/1.1» 200 40472 «localhost/vnstat/index.php?if=eth1&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:25 +0200] «GET /vnstat/index.php?if=eth1&graph=large&style=dark&page=h HTTP/1.1» 200 1691 «localhost/vnstat/index.php?if=eth1&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:25 +0200] «GET /vnstat/graph_svg.php?if=eth1&page=h&style=dark HTTP/1.1» 200 33297 «localhost/vnstat/index.php?if=eth1&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:27 +0200] «GET /vnstat/index.php?if=eth0&graph=large&style=dark&page=h HTTP/1.1» 200 1711 «localhost/vnstat/index.php?if=eth1&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:33:27 +0200] «GET /vnstat/graph_svg.php?if=eth0&page=h&style=dark HTTP/1.1» 200 33267 «localhost/vnstat/index.php?if=eth0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:07 +0200] «GET / HTTP/1.1» 200 724 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:11 +0200] «GET /vnstat/ HTTP/1.1» 200 1464 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:13 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=d HTTP/1.1» 200 1803 «localhost/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:13 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=d&style=dark HTTP/1.1» 200 40470 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:14 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1676 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:14 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:15 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1676 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:16 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 304 210 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:16 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:17 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1676 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:17 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 304 210 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:17 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:29 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1677 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:29 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 304 210 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:29 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:54 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1677 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:54 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 304 210 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:35:54 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:36:04 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1677 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=d» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:36:04 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 304 210 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
127.0.0.1 — - [25/Feb/2014:19:36:04 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0»
159.253.145.150 — - [25/Feb/2014:19:46:00 +0200] «GET / HTTP/1.1» 200 1561 "-" «Mozilla/5.0 (ABE, noscript.net/abe/wan
127.0.0.1 — - [25/Feb/2014:19:46:28 +0200] «GET / HTTP/1.1» 200 724 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:28 +0200] «GET /icons/folder.gif HTTP/1.1» 200 516 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:28 +0200] «GET /icons/blank.gif HTTP/1.1» 200 438 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:28 +0200] «GET /favicon.ico HTTP/1.1» 404 498 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:29 +0200] «GET /vnstat/ HTTP/1.1» 200 1465 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:30 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 200 847 «localhost/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:31 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1673 «localhost/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [25/Feb/2014:19:46:31 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33313 «localhost/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
50.19.122.28 — - [25/Feb/2014:19:56:21 +0200] «HEAD / HTTP/1.0» 200 169 "-" "-"
91.192.147.154 — - [25/Feb/2014:20:56:02 +0200] «GET /HNAP1/ HTTP/1.0» 404 473 "-" «Mozil46.98.226.214, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36»
211.24.250.130 — - [25/Feb/2014:21:00:27 +0200] «HEAD /invoker/EJBInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
211.24.250.130 — - [25/Feb/2014:21:00:28 +0200] «HEAD /invoker/JMXInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
176.113.124.105 — - [25/Feb/2014:21:11:19 +0200] "-" 408 0 "-" "-"
211.24.250.130 — - [25/Feb/2014:21:15:46 +0200] «HEAD /invoker/EJBInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
211.24.250.130 — - [25/Feb/2014:21:15:47 +0200] «HEAD /invoker/JMXInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
211.24.250.130 — - [25/Feb/2014:21:27:15 +0200] «HEAD /invoker/EJBInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
211.24.250.130 — - [25/Feb/2014:21:27:15 +0200] «HEAD /invoker/JMXInvokerServlet/ HTTP/1.1» 404 163 "-" "-"
175.180.64.70 — - [25/Feb/2014:22:28:28 +0200] «GET /phpTest/zologize/axa.php HTTP/1.1» 404 504 "-" "-"
175.180.64.70 — - [25/Feb/2014:22:28:29 +0200] «GET /phpMyAdmin/scripts/setup.php HTTP/1.1» 404 508 "-" "-"
175.180.64.70 — - [25/Feb/2014:22:28:30 +0200] «GET /pma/scripts/setup.php HTTP/1.1» 404 501 "-" "-"
175.180.64.70 — - [25/Feb/2014:22:28:31 +0200] «GET /myadmin/scripts/setup.php HTTP/1.1» 404 505 "-" "-"
159.253.145.150 — - [25/Feb/2014:22:35:30 +0200] «GET / HTTP/1.1» 200 1561 "-" «Mozilla/5.0 (ABE, noscript.net/abe/wan
54.205.217.245 — - [26/Feb/2014:01:09:53 +0200] «HEAD / HTTP/1.0» 200 169 "-" "-"
54.205.217.245 — - [26/Feb/2014:01:09:54 +0200] «POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1» 404 491 "-" «Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25»
54.205.217.245 — - [26/Feb/2014:01:09:54 +0200] «POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1» 404 492 "-" «Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25»
54.205.217.245 — - [26/Feb/2014:01:09:54 +0200] «POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1» 404 495 "-" «Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25»
54.205.217.245 — - [26/Feb/2014:01:09:55 +0200] «POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1» 404 495 "-" «Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25»
54.205.217.245 — - [26/Feb/2014:01:09:55 +0200] «POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1» 404 492 "-" «Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25»
186.94.196.64 — - [26/Feb/2014:01:11:33 +0200] "-" 408 0 "-" "-"
46.38.175.42 — - [26/Feb/2014:01:36:30 +0200] «HEAD / HTTP/1.0» 200 169 "-" "-"
140.117.221.97 — - [26/Feb/2014:02:00:00 +0200] «GET /phpTest/zologize/axa.php HTTP/1.1» 404 504 "-" "-"
140.117.221.97 — - [26/Feb/2014:02:00:00 +0200] «GET /phpMyAdmin/scripts/setup.php HTTP/1.1» 404 508 "-" "-"
140.117.221.97 — - [26/Feb/2014:02:00:01 +0200] «GET /pma/scripts/setup.php HTTP/1.1» 404 501 "-" "-"
140.117.221.97 — - [26/Feb/2014:02:00:02 +0200] «GET /myadmin/scripts/setup.php HTTP/1.1» 404 505 "-" "-"
125.231.178.217 — - [26/Feb/2014:02:02:48 +0200] «GET /phpTest/zologize/axa.php HTTP/1.1» 404 504 "-" "-"
125.231.178.217 — - [26/Feb/2014:02:02:48 +0200] «GET /phpMyAdmin/scripts/setup.php HTTP/1.1» 404 508 "-" "-"
125.231.178.217 — - [26/Feb/2014:02:02:49 +0200] «GET /pma/scripts/setup.php HTTP/1.1» 404 501 "-" "-"
125.231.178.217 — - [26/Feb/2014:02:02:50 +0200] «GET /myadmin/scripts/setup.php HTTP/1.1» 404 505 "-" "-"
159.253.145.150 — - [26/Feb/2014:02:35:27 +0200] «GET / HTTP/1.1» 200 1561 "-" «Mozilla/5.0 (ABE, noscript.net/abe/wan
83.253.232.153 — - [26/Feb/2014:03:11:34 +0200] "-" 408 0 "-" "-"
27.32.222.231 — - [26/Feb/2014:05:11:34 +0200] "-" 408 0 "-" "-"
209.126.230.74 — - [26/Feb/2014:06:06:23 +0200] «GET /robots.txt HTTP/1.0» 404 486 "-" "-"
141.212.121.226 — - [26/Feb/2014:06:46:03 +0200] «GET / HTTP/1.1» 200 728 "-" «Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0»
24.177.50.59 — - [26/Feb/2014:07:11:34 +0200] "-" 408 0 "-" "-"
127.0.0.1 — - [26/Feb/2014:08:07:21 +0200] «GET / HTTP/1.1» 200 723 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:22 +0200] «GET /icons/blank.gif HTTP/1.1» 200 438 «127.0.0.1/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:22 +0200] «GET /icons/folder.gif HTTP/1.1» 200 515 «127.0.0.1/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:22 +0200] «GET /favicon.ico HTTP/1.1» 404 498 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:22 +0200] «GET /favicon.ico HTTP/1.1» 404 498 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:27 +0200] «GET /vnstat/ HTTP/1.1» 200 1466 «127.0.0.1/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:27 +0200] «GET /vnstat/themes/dark/style.css HTTP/1.1» 200 847 «127.0.0.1/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:32 +0200] «GET /vnstat/index.php?if=ppp0&graph=large&style=dark&page=h HTTP/1.1» 200 1709 «127.0.0.1/vnstat/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:07:32 +0200] «GET /vnstat/graph_svg.php?if=ppp0&page=h&style=dark HTTP/1.1» 200 33287 «127.0.0.1/vnstat/index.php?if=ppp0&graph=large&style=dark&page=h» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:11 +0200] «GET / HTTP/1.1» 200 723 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:31 +0200] «GET / HTTP/1.1» 200 723 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:33 +0200] «GET / HTTP/1.1» 200 722 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:38 +0200] «GET / HTTP/1.1» 200 724 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:38 +0200] «GET /icons/blank.gif HTTP/1.1» 200 438 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:38 +0200] «GET /icons/folder.gif HTTP/1.1» 200 515 «localhost/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:39 +0200] «GET /favicon.ico HTTP/1.1» 404 498 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:11:39 +0200] «GET /favicon.ico HTTP/1.1» 404 498 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:16 +0200] «GET / HTTP/1.1» 200 724 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:22 +0200] «GET /phpmyadmin HTTP/1.1» 301 557 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:22 +0200] «GET /phpmyadmin/ HTTP/1.1» 200 3523 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/print.css HTTP/1.1» 200 650 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 200 529 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 200 27229 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 200 711 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css HTTP/1.1» 200 6141 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 200 9400 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 200 9849 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/favicon.ico HTTP/1.1» 200 19199 "-" «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/phpmyadmin.css.php?server=1&lang=ru&collation_connection=utf8_general_ci&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=3988383895 HTTP/1.1» 200 9390 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/js/messages.php?lang=ru&db=&collation_connection=utf8_general_ci&token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 7061 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/themes/pmahomme/img/logo_right.png HTTP/1.1» 200 5049 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_help.png HTTP/1.1» 200 1022 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_notice.png HTTP/1.1» 200 910 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&lang=ru&collation_connection=utf8_general_ci&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=3988383895» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:23 +0200] «GET /phpmyadmin/themes/pmahomme/img/input_bg.gif HTTP/1.1» 200 452 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&lang=ru&collation_connection=utf8_general_ci&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=3988383895» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «POST /phpmyadmin/index.php HTTP/1.1» 302 739 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 3091 «localhost/phpmyadmin/» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=3988383895 HTTP/1.1» 200 9390 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:26 +0200] «GET /phpmyadmin/js/messages.php?lang=ru&db=&token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 7061 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:27 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_error.png HTTP/1.1» 200 962 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=3988383895» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:28 +0200] «OPTIONS * HTTP/1.0» 200 126 "-" «Apache/2.2.22 (Ubuntu) (internal dummy connection)»
127.0.0.1 — - [26/Feb/2014:08:32:30 +0200] «POST /phpmyadmin/index.php HTTP/1.1» 302 633 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:31 +0200] «GET /phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 1794 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:31 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:31 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:31 +0200] «GET /phpmyadmin/js/common.js?ts=1329568005 HTTP/1.1» 200 1787 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:31 +0200] «OPTIONS * HTTP/1.0» 200 126 "-" «Apache/2.2.22 (Ubuntu) (internal dummy connection)»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 2208 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/functions.js HTTP/1.1» 200 9401 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/navigation.js HTTP/1.1» 200 1311 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js HTTP/1.1» 200 27229 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 8413 «localhost/phpmyadmin/index.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/phpmyadmin.css.php?token=8de673c629ba577d63c77516c97fce52&js_frame=left&nocache=5381211889 HTTP/1.1» 200 2023 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/logo_left.png HTTP/1.1» 200 2567 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_loggoff.png HTTP/1.1» 200 979 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_selboard.png HTTP/1.1» 200 989 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_home.png HTTP/1.1» 200 1041 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_sqlhelp.png HTTP/1.1» 200 807 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_reload.png HTTP/1.1» 200 844 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_docs.png HTTP/1.1» 200 1022 «localhost/phpmyadmin/navigation.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/jquery/jquery.sprintf.js?ts=1329568005 HTTP/1.1» 200 839 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/js/jquery/jquery-ui-1.8.custom.js?ts=1329568005 HTTP/1.1» 200 48809 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:32 +0200] «GET /phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889 HTTP/1.1» 200 9390 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_host.png HTTP/1.1» 200 958 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_db.png HTTP/1.1» 200 681 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_status.png HTTP/1.1» 200 964 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_import.png HTTP/1.1» 200 880 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_export.png HTTP/1.1» 200 900 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_vars.png HTTP/1.1» 200 833 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_process.png HTTP/1.1» 200 803 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_sql.png HTTP/1.1» 200 1039 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_rights.png HTTP/1.1» 200 824 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_asci.png HTTP/1.1» 200 499 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_engine.png HTTP/1.1» 200 759 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_replication.png HTTP/1.1» 200 738 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_sync.png HTTP/1.1» 200 798 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/window-new.png HTTP/1.1» 200 766 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_tblops.png HTTP/1.1» 200 842 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/left_nav_bg.png HTTP/1.1» 200 505 «localhost/phpmyadmin/phpmyadmin.css.php?token=8de673c629ba577d63c77516c97fce52&js_frame=left&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/database.png HTTP/1.1» 200 681 «localhost/phpmyadmin/phpmyadmin.css.php?token=8de673c629ba577d63c77516c97fce52&js_frame=left&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_passwd.png HTTP/1.1» 200 671 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_lang.png HTTP/1.1» 200 974 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/tab_bg.png HTTP/1.1» 200 450 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_theme.png HTTP/1.1» 200 1092 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:33 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_more.png HTTP/1.1» 200 441 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:38 +0200] «OPTIONS * HTTP/1.0» 200 126 "-" «Apache/2.2.22 (Ubuntu) (internal dummy connection)»
127.0.0.1 — - [26/Feb/2014:08:32:42 +0200] «GET /phpmyadmin/themes/pmahomme/img/tab_hover_bg.png HTTP/1.1» 200 1571 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:44 +0200] «GET /phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 4469 «localhost/phpmyadmin/main.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/jquery/jquery-ui-1.8.custom.js?ts=1329568005 HTTP/1.1» 304 213 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/js/server_privileges.js?ts=1329568005 HTTP/1.1» 200 2304 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_tblexport.png HTTP/1.1» 200 900 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_usrlist.png HTTP/1.1» 200 991 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/arrow_ltr.png HTTP/1.1» 200 432 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_usredit.png HTTP/1.1» 200 1070 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_usradd.png HTTP/1.1» 200 982 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:45 +0200] «GET /phpmyadmin/themes/pmahomme/img/b_usrdrop.png HTTP/1.1» 200 1004 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:47 +0200] «GET /phpmyadmin/themes/pmahomme/img/marked_bg.png HTTP/1.1» 200 483 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:32:52 +0200] «OPTIONS * HTTP/1.0» 200 126 "-" «Apache/2.2.22 (Ubuntu) (internal dummy connection)»
127.0.0.1 — - [26/Feb/2014:08:33:06 +0200] «POST /phpmyadmin/server_privileges.php HTTP/1.1» 200 9768 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:07 +0200] «GET /phpmyadmin/themes/pmahomme/img/s_success.png HTTP/1.1» 200 772 «localhost/phpmyadmin/phpmyadmin.css.php?server=1&token=8de673c629ba577d63c77516c97fce52&js_frame=right&nocache=5381211889» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:11 +0200] «POST /phpmyadmin/server_privileges.php HTTP/1.1» 200 3242 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52&adduser=1&ajax_request=true HTTP/1.1» 200 2983 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:14 +0200] «GET /phpmyadmin/js/messages.php?lang=ru&db=&token=ca479906932de909ade933288ad497df HTTP/1.1» 200 7061 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/images/ui-bg_flat_75_ffffff_40x100.png HTTP/1.1» 200 377 «localhost/phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52 HTTP/1.1» 200 2983 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/phpmyadmin.css.php?server=1&token=ca479906932de909ade933288ad497df&js_frame=right&nocache=3988383895 HTTP/1.1» 200 9391 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/images/ui-bg_flat_0_aaaaaa_40x100.png HTTP/1.1» 200 376 «localhost/phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png HTTP/1.1» 200 375 «localhost/phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/images/ui-icons_222222_256x240.png HTTP/1.1» 200 4116 «localhost/phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/themes/pmahomme/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png HTTP/1.1» 200 401 «localhost/phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.8.custom.css» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/phpmyadmin.css.php?server=1&token=ee4c0fdbda153308186e1ea982fb430f&js_frame=right&nocache=3988383895 HTTP/1.1» 200 9390 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:15 +0200] «GET /phpmyadmin/js/messages.php?lang=ru&db=&token=ee4c0fdbda153308186e1ea982fb430f HTTP/1.1» 200 7061 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:21 +0200] «OPTIONS * HTTP/1.0» 200 126 "-" «Apache/2.2.22 (Ubuntu) (internal dummy connection)»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «POST /phpmyadmin/index.php HTTP/1.1» 302 632 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f HTTP/1.1» 200 3242 «localhost/phpmyadmin/server_privileges.php?token=8de673c629ba577d63c77516c97fce52» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:23 +0200] «GET /phpmyadmin/js/jquery/jquery.qtip-1.0.0.min.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «POST /phpmyadmin/index.php HTTP/1.1» 302 633 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «GET /phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f HTTP/1.1» 200 3242 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «GET /phpmyadmin/js/cross_framing_protection.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «GET /phpmyadmin/js/jquery/jquery-1.4.4.js?ts=1329568005 HTTP/1.1» 304 212 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «GET /phpmyadmin/js/update-location.js?ts=1329568005 HTTP/1.1» 304 210 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»
127.0.0.1 — - [26/Feb/2014:08:33:28 +0200] «GET /phpmyadmin/js/functions.js?ts=1329568005 HTTP/1.1» 304 211 «localhost/phpmyadmin/index.php?token=ee4c0fdbda153308186e1ea982fb430f» «Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0»

Error.log последнего обновления:

error.log

[Tue Feb 25 11:42:25 2014] [error] [client 37.150.235.39] File does not exist: /var/www/setup.htm
[Tue Feb 25 13:11:04 2014] [error] [client 222.3.122.108] File does not exist: /var/www/start.htm
[Tue Feb 25 13:33:03 2014] [error] [client 178.20.225.110] script not found or unable to stat: /usr/lib/cgi-bin/php
[Tue Feb 25 13:33:03 2014] [error] [client 178.20.225.110] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Tue Feb 25 13:57:52 2014] [error] [client 91.206.201.244] script not found or unable to stat: /usr/lib/cgi-bin/php
[Tue Feb 25 13:57:52 2014] [error] [client 91.206.201.244] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Tue Feb 25 13:57:56 2014] [error] [client 91.206.201.244] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Tue Feb 25 13:57:59 2014] [error] [client 91.206.201.244] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Tue Feb 25 13:57:59 2014] [error] [client 91.206.201.244] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Tue Feb 25 16:15:41 2014] [error] [client 203.171.229.184] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue Feb 25 16:37:26 2014] [error] [client 190.245.72.32] Invalid method in request x80wx01x03x01
[Tue Feb 25 19:39:07 2014] [notice] caught SIGTERM, shutting down
[Tue Feb 25 19:43:37 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch configured — resuming normal operations
[Tue Feb 25 19:46:28 2014] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico
[Tue Feb 25 20:56:02 2014] [error] [client 91.192.147.154] File does not exist: /var/www/HNAP1
[Tue Feb 25 21:00:27 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 21:00:28 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 21:15:46 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 21:15:47 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 21:27:15 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 21:27:15 2014] [error] [client 211.24.250.130] File does not exist: /var/www/invoker
[Tue Feb 25 22:28:28 2014] [error] [client 175.180.64.70] File does not exist: /var/www/phpTest
[Tue Feb 25 22:28:29 2014] [error] [client 175.180.64.70] File does not exist: /var/www/phpMyAdmin
[Tue Feb 25 22:28:30 2014] [error] [client 175.180.64.70] File does not exist: /var/www/pma
[Tue Feb 25 22:28:31 2014] [error] [client 175.180.64.70] File does not exist: /var/www/myadmin
[Wed Feb 26 01:09:54 2014] [error] [client 54.205.217.245] script not found or unable to stat: /usr/lib/cgi-bin/php
[Wed Feb 26 01:09:54 2014] [error] [client 54.205.217.245] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Wed Feb 26 01:09:54 2014] [error] [client 54.205.217.245] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Wed Feb 26 01:09:55 2014] [error] [client 54.205.217.245] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Wed Feb 26 01:09:55 2014] [error] [client 54.205.217.245] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Wed Feb 26 02:00:00 2014] [error] [client 140.117.221.97] File does not exist: /var/www/phpTest
[Wed Feb 26 02:00:00 2014] [error] [client 140.117.221.97] File does not exist: /var/www/phpMyAdmin
[Wed Feb 26 02:00:01 2014] [error] [client 140.117.221.97] File does not exist: /var/www/pma
[Wed Feb 26 02:00:02 2014] [error] [client 140.117.221.97] File does not exist: /var/www/myadmin
[Wed Feb 26 02:02:48 2014] [error] [client 125.231.178.217] File does not exist: /var/www/phpTest
[Wed Feb 26 02:02:48 2014] [error] [client 125.231.178.217] File does not exist: /var/www/phpMyAdmin
[Wed Feb 26 02:02:49 2014] [error] [client 125.231.178.217] File does not exist: /var/www/pma
[Wed Feb 26 02:02:50 2014] [error] [client 125.231.178.217] File does not exist: /var/www/myadmin
[Wed Feb 26 06:06:23 2014] [error] [client 209.126.230.74] File does not exist: /var/www/robots.txt
[Wed Feb 26 08:07:22 2014] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico
[Wed Feb 26 08:07:22 2014] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico
[Wed Feb 26 08:11:39 2014] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico
[Wed Feb 26 08:11:39 2014] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico
[Wed Feb 26 08:11:49 2014] [notice] caught SIGTERM, shutting down
[Wed Feb 26 08:32:11 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch configured — resuming normal operations

Судя по логам в access.log, кажется, что боты пытаются конектиться на сервер как к прокси. И судя по тому, что там не только 404, но и 200 ответы — то у них это получается.

Как выяснилось позже, сын начальницы осознал вину и пришел с покоянием, попутно рассказывая, что сменил свой пароль к учетке, обновил apache и копался в настройках ssh.

Исходя из исходных данных удалось установить, что прокси боты сканят ssh и попутно подбирают пароли. Поскольку у юного дарования оказался логин user, а пароль «fack_off», то на сервер попал бот. Судя по забекапенным логам, или того, что попало в логи, бот просканировал запущенные сервисы и, если находил apache, то цеплял на него прокси сервер, а потом подгружал сам модуль ботнета от дядюшки Билли.

Все выше перечисленные симптомы и файлы, приведенные в статье ValdikSS, также присутствовали и у меня.

Re:

При сравнении новых и старых конфигов Apach было выяснено, что при обновлении включился мод: mod_proxy. При его отключение трафик перестает генерироваться.

Автор: Ramen

Источник

* - обязательные к заполнению поля


https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js