Pergunta
LogWatch is a nice tool that provides daily reports on linux log files. It includes several information summaries, like traffic, users who logged in, who used sudo, relevant kernel messages, IPs that probed the server, search engines that probed your apache, etc...
One section includes IP addresses that used known exploits attempts to hack your server. They didn't necessarily succeed, but they are listed in the report anyway for knowledge. This is what it looks like.
https://stackoverflow.com/questions/15852010
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAttempts to use known hacks by 4 hosts were logged 4 time(s) from:
187.13.156.179: 1 Time(s)
^null$ 1 Time(s)
187.60.121.62: 1 Time(s)
^null$ 1 Time(s)
189.123.240.18: 1 Time(s)
^null$ 1 Time(s)
189.70.214.124: 1 Time(s)
^null$ 1 Time(s)
My question is what exactly is this ^null$ attack? I've tried googling this, but nothing relevant seems to show up.
Solução
This is usually not something to worry about - it isn't necessarily an actual attack. The ^null$ "attack" is simply a client connection terminating without sending any HTTP request (i.e. a connection is established to your web server, but no request is received).
If you had multiple attempts on your server from a single IP, or many ^null$ entries per IP, then you may have evidence of a concerted attempt. As it is, I would suggest you can safely ignore the example log you've given above.
Outras dicas
It's interesting to note that Heartbleed probing translates into such warnings from LogWatch:
Attempts to use known hacks by 1 hosts were logged 1 time(s) from:
54.82.203.167: 1 Time(s)
^null$ 1 Time(s)
The corresponding Apache SSL log entry is:
XXXXXX:443 54.82.203.167 - - [10/Apr/2014:00:19:45 +0200] "quit" 301 1313 "-" "-"
(using http://filippo.io/Heartbleed/)
Several types of monitoring services will make this go off as well; for example uptimerobot.com:
Attempts to use known hacks by 10 hosts were logged 107 time(s) from: 74.86.158.106: 91 Time(s) ^null$ 91 Time(s)
74.86.158.106 - - [09/Feb/2015:01:09:54 -0500] "GET / HTTP/1.1" 200 17896 "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
74.86.158.106 - - [09/Feb/2015:01:10:47 -0500] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
Certain types of failover applications would likely set it off as well, like heartbeat and ldirectord (depending on their configuration).
