userid on apache webserver – a way to tell if you have been compromised?

Colum31 asked:

I am running an apache webserver and trying to learn how to manage it.
I tried my best to make it secure, and have taken several precautions like running as seperate user, disabling indexing and sending no banner.

I read the logs daily, and I have stumbled upon following:

XXX.XXX.92.232 - admin [02/Aug/2020:11:28:11 +0200] "GET / HTTP/1.1" 200 [...]

I am using the CLF. On Wikipedia I found out that admin reffers to the userid. Usually in my logs is just a - in this place. I don’t have any authentication on my webpages. I do not use .htaccess files.
I am concerned that my webserver may be compromised.

I am aware of the attacks, the scripts, trying to find a weak spot in ones webserver. They all end up in 404. This one got me scared, because it seems, that someone tried (and suceeded?) to authenticate as admin.

I would be very thankful, if somebody could explained what happend there.

Edit:

The IP left other logs:

XXX.XXX.92.232 - - [02/Aug/2020:11:27:48 +0200] "GET / HTTP/1.1" 200 503 "http://my_ip:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
XXX.XXX.92.232 - - [02/Aug/2020:11:27:52 +0200] "GET / HTTP/1.1" 200 503 "http://my_ip:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
XXX.XXX.92.232 - - [02/Aug/2020:11:27:56 +0200] "GET /FHFactoryCheck.html HTTP/1.1" 404 341 "http://my_ip:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
XXX.XXX.92.232 - - [02/Aug/2020:11:28:01 +0200] "GET / HTTP/1.1" 200 503 "http://my_ip:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
XXX.XXX.92.232 - - [02/Aug/2020:11:28:06 +0200] "GET / HTTP/1.1" 200 503 "http://my_ip:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
XXX.XXX.92.232 - admin [02/Aug/2020:11:28:11 +0200] "GET / HTTP/1.1" 200 503 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

There are no other logs.

My answer:


The appearance of a user name in this part of the Apache access log indicates that the user agent sent HTTP Basic authentication headers and what the username was. It does not indicate whether authentication was attempted. If you haven’t actually configured Basic authentication for this URL, then the authentication header is just ignored. This is not an indication of compromise when Basic authentication is not in use.

What this actually looks like is just another random bot trying a whole lot of stuff to see if anything interesting happens that it can take advantage of. If those are all the log entries, then it most likely found nothing interesting and moved on.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.