Many lines in apache's access_log without a user name...hacking?

Server
1

I am seeing hundreds of lines that are similar to the following in /var/log/httpd/access_log and am wondering if this is a hacking attempt. I do not see a user name associated with the activity nor do I recognize the IP address from which the traffic originated.

xxx.xxx.xxx.xxx - - [25/Jul/2016:04:37:57 -0400] "GET / HTTP/1.1" 403 1022
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:37:57 -0400] "GET /favicon.ico HTTP/1.1" 404 1181
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:01 -0400] "GET /owncloud HTTP/1.1" 301 256
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:01 -0400] "GET /owncloud/ HTTP/1.1" 302 -
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:02 -0400] "GET /owncloud/index.php/login HTTP/1.1" 200 10619
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/inputs.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 8973
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/header.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 7338
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/styles.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 21989
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/icons.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 8018
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/fonts.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 728
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/apps.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 14786
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/global.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 607
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/fixes.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 357
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/multiselect.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 2428
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/mobile.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 3075
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/tooltip.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 2359
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/share.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 3152
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/jquery-ui-fixes.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 3630
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/jquery-ui/themes/base/jquery-ui.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 32269
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/apps/files_versions/css/versions.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 962
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/apps/files_pdfviewer/css/style.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 140
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/apps/firstrunwizard/css/firstrunwizard.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 776
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/apps/files_videoplayer/css/style.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 7452
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/apps/firstrunwizard/css/colorbox.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 2214
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/css/jquery.ocdialog.css?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 1137
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/jquery-migrate/jquery-migrate.min.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 9632
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/jquery/dist/jquery.min.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 84380
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/underscore/underscore.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 52919
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/blueimp-md5/js/md5.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 9639
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/handlebars/handlebars.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 89667
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/vendor/bootstrap/js/tooltip.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 16345
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/vendor/backbone/backbone.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 71415
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/vendor/es6-promise/dist/es6-promise.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 32525
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/vendor/davclient.js/lib/client.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 11007
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/moment/min/moment-with-locales.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 360503
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/placeholders.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 19274
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/compatibility.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 3567
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/jquery.ocdialog.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 6698
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/oc-dialogs.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 25481
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/js.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 59818
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/l10n.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 7553
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:04 -0400] "GET /owncloud/core/vendor/jquery-ui/ui/jquery-ui.custom.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 432631
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/octemplate.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 3082
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/eventsource.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 4242
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/js/config.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 1516
xxx.xxx.xxx.xxx - - [25/Jul/2016:04:38:05 -0400] "GET /owncloud/core/search/js/search.js?v=390065251e8fe4d5e2ed684597ee616b HTTP/1.1" 200 11797
...

It goes on and on…

2

access_log is just the logging of each access to your instance, no matter if its a bot / search engine or a user browsing your instance

3

But since there is not a user name attached to the activity which is in contrast to lines like the below, I am unclear how someone not authenticated to owncloud could be getting those files.

yyy.yyy.yyy.yyyy - foo [05/Aug/2016:20:13:56 -0400] "PROPFIND /owncloud/remote.php/webdav/InstantUpload/Photo-2016-08-04-18-45-06_1927.JPG HTTP/1.1" 207 931
4

Stuff like .css or images are not protected by authentication so you won’t get any user name for those (it makes no sense to protect freely available stuff).

5

If you log the user agent you will see what’s going on. I would guess this is one of the clients which still have a valid session and hence do not require to have the username sent, which is part of the basic auth.

6

I don’t think that a sync client is causing those requests. The examples are all .css files which are just requested by any browser (without authentication) when opening the main page of the oc instance

7

Thanks for the replies, all.

8

I checked my logfiles. The requests by the oc-client are normally identified by a user in the logfiles. This is not the case for logins on the webinterface. I think there was a feature request somewhere on the bugtracker to change that.