logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: server hacked ?
Author
craigt



Joined: 03 Sep 2012
Posts: 16
Location: Richmond, ky

PostPosted: Sun 23 Nov '14 16:00    Post subject: server hacked ? Reply with quote

Good morning.

My error log had the following entries this morning.

    [Sat Nov 22 05:42:15 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php5
    [Sat Nov 22 05:42:16 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php-cgi
    [Sat Nov 22 05:42:17 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php.cgi
    [Sat Nov 22 05:42:18 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php4
    [Sat Nov 22 13:11:24 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/gege
    [Sat Nov 22 13:11:25 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/phpMyAdmin
    [Sat Nov 22 13:11:26 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/pma
    [Sat Nov 22 13:11:27 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/myadmin
    [Sat Nov 22 22:55:20 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/bsbs
    [Sat Nov 22 22:55:21 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/phpMyAdmin
    [Sat Nov 22 22:55:22 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/pma
    [Sat Nov 22 22:55:23 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/myadmin
    [Sun Nov 23 00:56:40 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/ntnt
    [Sun Nov 23 00:56:41 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/phpMyAdmin
    [Sun Nov 23 00:56:42 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/pma
    [Sun Nov 23 00:56:43 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/myadmin
    [Sun Nov 23 06:48:05 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php.exe
    [Sun Nov 23 06:48:06 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php5.exe
    [Sun Nov 23 06:48:06 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php-cgi.exe
    [Sun Nov 23 06:48:07 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/cgi.exe
    [Sun Nov 23 06:48:07 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php4.exe

My access log had the following entries.

    1.2.172.71 - - [22/Nov/2014:22:55:20 -0500] "GET /bsbs/bsb/bs.php HTTP/1.1" 404 318
    1.2.172.71 - - [22/Nov/2014:22:55:21 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 331
    1.2.172.71 - - [22/Nov/2014:22:55:22 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 324
    1.2.172.71 - - [22/Nov/2014:22:55:23 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 328
    218.164.97.122 - - [23/Nov/2014:00:56:40 -0500] "GET /ntnt/ntn/nt.php HTTP/1.1" 404 318
    218.164.97.122 - - [23/Nov/2014:00:56:41 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 331
    218.164.97.122 - - [23/Nov/2014:00:56:42 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 324
    218.164.97.122 - - [23/Nov/2014:00:56:43 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 328
    212.83.138.153 - - [23/Nov/2014:02:04:26 -0500] "GET / HTTP/1.1" 200 15675
    157.55.39.6 - - [23/Nov/2014:02:56:37 -0500] "GET /robots.txt HTTP/1.1" 200 430
    157.55.39.5 - - [23/Nov/2014:02:56:58 -0500] "GET / HTTP/1.1" 200 2802
    104.192.0.19 - - [23/Nov/2014:06:26:10 -0500] "GET / HTTP/1.0" 200 15678
    66.135.34.113 - - [23/Nov/2014:06:48:05 -0500] "GET //cgi-bin/php.exe HTTP/1.1" 404 263
    66.135.34.113 - - [23/Nov/2014:06:48:06 -0500] "GET //cgi-bin/php5.exe HTTP/1.1" 404 263
    66.135.34.113 - - [23/Nov/2014:06:48:06 -0500] "GET //cgi-bin/php-cgi.exe HTTP/1.1" 404 264
    66.135.34.113 - - [23/Nov/2014:06:48:07 -0500] "GET //cgi-bin/cgi.exe HTTP/1.1" 404 262
    66.135.34.113 - - [23/Nov/2014:06:48:07 -0500] "GET //cgi-bin/php4.exe HTTP/1.1" 404 264
    104.236.27.63 - - [23/Nov/2014:07:03:16 -0500] "GET /parts/brief.html HTTP/1.1" 200 2166
    178.62.214.203 - - [23/Nov/2014:07:03:30 -0500] "GET /shom3ifrm.html HTTP/1.1" 200 326
    104.236.27.69 - - [23/Nov/2014:07:03:42 -0500] "GET /shom4.html HTTP/1.1" 200 484
    198.211.117.78 - - [23/Nov/2014:07:03:52 -0500] "GET /m1demo/m1.htm HTTP/1.1" 200 587
    162.243.1.48 - - [23/Nov/2014:07:03:54 -0500] "GET /parts/m3.html HTTP/1.1" 200 1888
    198.199.68.18 - - [23/Nov/2014:07:04:15 -0500] "GET /shom2ifrm.html HTTP/1.1" 200 325
    104.131.146.120 - - [23/Nov/2014:07:04:16 -0500] "GET /parts/acks.html HTTP/1.1" 200 2004
    95.85.39.206 - - [23/Nov/2014:07:04:30 -0500] "GET /parts/m1.html HTTP/1.1" 200 2102
    128.199.232.11 - - [23/Nov/2014:07:05:29 -0500] "GET /docs/scdoce.doc HTTP/1.1" 200 16202
    178.62.219.89 - - [23/Nov/2014:07:05:39 -0500] "GET /parts/potential.html HTTP/1.1" 200 1095
    104.131.135.7 - - [23/Nov/2014:07:05:39 -0500] "GET /parts/features.html HTTP/1.1" 200 1710
    104.236.27.65 - - [23/Nov/2014:07:05:40 -0500] "GET /parts/addedvalue.html HTTP/1.1" 200 988
    162.243.164.227 - - [23/Nov/2014:07:05:40 -0500] "GET /parts/roi.html HTTP/1.1" 200 1253
    104.236.27.68 - - [23/Nov/2014:07:06:04 -0500] "GET /parts/di.html HTTP/1.1" 200 638
    188.226.169.215 - - [23/Nov/2014:07:06:05 -0500] "GET /parts/priceom.html HTTP/1.1" 200 572
    178.62.158.69 - - [23/Nov/2014:07:06:06 -0500] "GET /m3demo/m3.htm HTTP/1.1" 200 373
    192.241.248.155 - - [23/Nov/2014:07:06:07 -0500] "GET /parts/m2.html HTTP/1.1" 200 1768
    162.243.226.174 - - [23/Nov/2014:07:06:27 -0500] "GET /shodhtml2.html HTTP/1.1" 200 332
    178.62.99.54 - - [23/Nov/2014:07:06:28 -0500] "GET /parts/company.html HTTP/1.1" 200 1130
    128.199.154.245 - - [23/Nov/2014:07:06:29 -0500] "GET /parts/idea.html HTTP/1.1" 200 3510
    178.62.152.120 - - [23/Nov/2014:07:06:39 -0500] "GET /sge.html HTTP/1.1" 200 258
    104.131.146.120 - - [23/Nov/2014:07:08:16 -0500] "GET /m2demo/m2.htm HTTP/1.1" 200 373
    162.243.1.48 - - [23/Nov/2014:07:08:28 -0500] "GET /parts/ii.html HTTP/1.1" 200 1004
    125.64.35.67 - - [23/Nov/2014:07:54:10 -0500] "GET http://6.url.cn/zc/chs/img/body.png HTTP/1.1" 404 259

My static IP starts with 72. I think I'm being hacked. These IPs are from all over the globe. Looks like they are probing my server and executing parts of the website that this server hosts. These people don't have much to do.

Would someone please comment on what they see here, what could happen, and what I should do to prevent any destructive behavior. The application the server hosts is simply an idea of my own design and development, not hardly of any interest to a cracker I would think.

I'm on Windows 7 platform using Apache/2.0.64 (Win32,) mod_perl/2.0.3, and Perl/v5.8.3. I work with the firewall down because my application does not seem to be visible to the WWW with it up (probably my understanding). I run MSE all the time and MalwareBytes regularly.

Thanks.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 25 Nov '14 21:48    Post subject: Reply with quote

Doubtful.

These look like scans for vulnerabilities/horrible configs and that the ones that 404 means there is not a problem on any one of those. I'm going to assume all the 200s are actually legitimate requests to resources on your server like these;

104.236.27.63 - - [23/Nov/2014:07:03:16 -0500] "GET /parts/brief.html HTTP/1.1" 200 2166
178.62.214.203 - - [23/Nov/2014:07:03:30 -0500] "GET /shom3ifrm.html HTTP/1.1" 200 326
104.236.27.69 - - [23/Nov/2014:07:03:42 -0500] "GET /shom4.html HTTP/1.1" 200 484
198.211.117.78 - - [23/Nov/2014:07:03:52 -0500] "GET /m1demo/m1.htm HTTP/1.1" 200 587
Back to top
craigt



Joined: 03 Sep 2012
Posts: 16
Location: Richmond, ky

PostPosted: Fri 28 Nov '14 21:32    Post subject: Reply with quote

Thanks for the reply glsmith. I think I need to study the firewall and Apache server I use to try to restrict access a little better.

I've been focused on an app and website doing design, development, and testing, until now. I'm at the next step, and here the firewall and Apache configuration become more important. And I must admit, I've had some malware problems as I've been doing this.

I've had my firewall down because I lose WWW visibility when its up. And my Apache installation was pretty generic with a few exceptions like mod_perl. I need to go deeper in these areas.
Back to top


Reply to topic   Topic: server hacked ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache