Jump to content

[SOLVED] Logs

jaymc

By jaymc
in Apache HTTP Server

 Share

Recommended Posts

jaymc Advanced Member

jaymc

Posted
Posted

Something is blowing my server up, What I know is that when my forum is publically accessable the server crashes, when its .htaccess'd its fine

 

Just check out this I pulled from its CustomLog! Obviously some kind of bot

 

This was after 3 seconds

 

Any idea of what the hell this is?

 

Its a limux server by the way, CENTOS 4.4

 

www.ticketmaster.com 66.39.218.5 - - [18/Aug/2007:01:34:04 +0100] "GET http://www.ticketmaster.com/event/0D003EDBA68B4FE6 HTTP/1.1" 404 306
www.clickclickclick.com 81.22.184.159 - - [18/Aug/2007:01:34:04 +0100] "GET http://www.clickclickclick.com:80/default.asp HTTP/1.1" 404 298
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:04 +0100] "GET http://media.fastclick.net/w/get.media?t=s...ame.com&d=f HTTP/1.1" 404 294
209.61.244.75 62.85.45.65 - - [18/Aug/2007:01:34:04 +0100] "GET http://209.61.244.75/cgi/yabb/YaBB.pl HTTP/1.0" 404 293
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:04 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
61.155.87.118 77.70.106.4 - - [18/Aug/2007:01:34:05 +0100] "POST http://61.155.87.118:80/news/ HTTP/1.0" 404 282
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:05 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
ulinkjs.tom.com 124.234.66.134 - - [18/Aug/2007:01:34:05 +0100] "GET http://ulinkjs.tom.com/ulink_110.js HTTP/1.0" 404 291
rs146l3.rapidshare.com 24.186.136.239 - - [18/Aug/2007:01:34:05 +0100] "GET http://rs146l3.rapidshare.com/cgi-bin/uplo...371436&r=56 HTTP/1.1" 404 306
www.ticketmaster.com 208.177.78.5 - - [18/Aug/2007:01:34:05 +0100] "GET http://www.ticketmaster.com/event/00003E9AFA4F51AE HTTP/1.1" 404 306
www.filmfestivals.ru 195.244.128.217 - - [18/Aug/2007:01:34:05 +0100] "GET http://www.filmfestivals.ru/forums/index.php HTTP/1.0" 404 300
garage.lib.net 66.199.248.234 - - [18/Aug/2007:01:34:05 +0100] "POST http://garage.lib.net/kougen/cgi-script/qwertyuzxdrtyui.cgi HTTP/1.1" 404 315
82.146.53.175 82.146.53.175 - - [18/Aug/2007:01:34:05 +0100] "POST http://82.146.53.175/proxy/tools/info.php HTTP/1.1" 404 297
rs208.rapidshare.com 217.26.84.83 - - [18/Aug/2007:01:34:05 +0100] "POST http://rs208.rapidshare.com/files/48976620...Danielesoft.rar HTTP/1.0" 404 352
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:05 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
www.plov.info 204.15.73.174 - - [18/Aug/2007:01:34:05 +0100] "GET http://www.plov.info/business/guestbook.ph...ew&page=291 HTTP/1.1" 404 299
login.icq.com 210.215.4.157 - - [18/Aug/2007:01:34:05 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 405 305
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:06 +0100] "GET http://media.fastclick.net/w/get.media?t=s...s.co.uk&d=f HTTP/1.1" 404 294
69.147.113.171 66.244.82.82 - - [18/Aug/2007:01:34:06 +0100] "GET http://69.147.113.171/client/clogin?.redir...gin=storm_angel HTTP/1.0" 404 291
69.147.114.41 66.244.82.82 - - [18/Aug/2007:01:34:06 +0100] "GET http://69.147.114.41/client/clogin?.redir_...n=bernard_storm HTTP/1.0" 404 290
210.150.169.198 61.12.171.216 - - [18/Aug/2007:01:34:06 +0100] "GET http://210.150.169.198/cgi-bin/rank/ranklink.cgi?id=2gsenka HTTP/1.0" 404 304
login.icq.com 72.232.21.210 - - [18/Aug/2007:01:34:06 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 405 305
login.icq.com 72.232.21.210 - - [18/Aug/2007:01:34:06 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 405 305
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:06 +0100] "GET http://media.fastclick.net/w/get.media?t=s...ily.net&d=f HTTP/1.0" 404 294
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:06 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
rs146l3.rapidshare.com 24.186.136.239 - - [18/Aug/2007:01:34:06 +0100] "GET http://rs146l3.rapidshare.com/cgi-bin/uplo...5371436&r=1 HTTP/1.1" 404 306
ulinkjs.tom.com 124.234.93.193 - - [18/Aug/2007:01:34:07 +0100] "GET http://ulinkjs.tom.com/ulink_125.js HTTP/1.0" 404 291
69.147.114.123 203.84.184.162 - - [18/Aug/2007:01:34:07 +0100] "GET http://69.147.114.123/client/clogin?.redir...login=_fractal_ HTTP/1.0" 404 291
www.ticketmaster.com 208.177.78.7 - - [18/Aug/2007:01:34:07 +0100] "GET http://www.ticketmaster.com/event/03003D9DA62DAD22 HTTP/1.1" 404 306
www.plov.info 204.15.73.174 - - [18/Aug/2007:01:34:07 +0100] "GET http://www.plov.info/business/guestbook.ph...ew&page=101 HTTP/1.1" 404 299
www.plov.info 204.15.73.174 - - [18/Aug/2007:01:34:07 +0100] "GET http://www.plov.info/business/guestbook.ph...iew&page=50 HTTP/1.1" 404 299
205.188.179.233 83.167.110.141 - - [18/Aug/2007:01:34:07 +0100] "CONNECT 205.188.179.233:443 HTTP/1.0" 405 307
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:07 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
205.188.179.233 83.167.110.141 - - [18/Aug/2007:01:34:07 +0100] "CONNECT 205.188.179.233:443 HTTP/1.0" 405 307
www.xxp-design.ru 195.244.128.217 - - [18/Aug/2007:01:34:07 +0100] "GET http://www.xxp-design.ru/forum/forumpost.asp?ForumId=14 HTTP/1.0" 404 300
www.friendlink.co.jp 77.70.106.4 - - [18/Aug/2007:01:34:07 +0100] "POST http://www.friendlink.co.jp:80/multi2/multi2.cgi HTTP/1.0" 404 301
dealsearch.us 91.124.227.234 - - [18/Aug/2007:01:34:07 +0100] "POST http://dealsearch.us/art/proxy.php HTTP/1.1" 404 290
9bills.com 82.10.190.102 - - [18/Aug/2007:01:34:07 +0100] "GET http://9bills.com/prx.php HTTP/1.1" 404 281
www.maplecity.com 216.255.179.34 - - [18/Aug/2007:01:34:07 +0100] "GET http://www.maplecity.com/homepage/guest1.html HTTP/1.0" 404 301
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:07 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:07 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:07 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
baran-eblan.info 66.232.112.80 - - [18/Aug/2007:01:34:07 +0100] "POST http://baran-eblan.info/proxyspamit/CheckProxy.php HTTP/1.0" 404 306
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:07 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
dotekabocha.hippy.jp 210.143.155.77 - - [18/Aug/2007:01:34:07 +0100] "GET http://dotekabocha.hippy.jp/access-madam/a...></iframe HTTP/1.0" 404 307
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:08 +0100] "GET http://media.fastclick.net/w/get.media?t=s...ily.net&d=f HTTP/1.1" 404 294
deepbluerecords.co.uk 62.85.45.65 - - [18/Aug/2007:01:34:08 +0100] "GET http://deepbluerecords.co.uk/forum/index.php HTTP/1.0" 404 300
download.cappackarchive.com 89.83.142.84 - - [18/Aug/2007:01:34:08 +0100] "GET http://download.cappackarchive.com/ HTTP/1.0" 403 5044
coreblog.org 205.234.132.14 - - [18/Aug/2007:01:34:08 +0100] "POST http://coreblog.org/ping/ HTTP/1.0" 404 281
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
popunder.adsrevenue.net 82.10.190.102 - - [18/Aug/2007:01:34:08 +0100] "GET http://popunder.adsrevenue.net/popup.php?1...blk=1&fc=-1 HTTP/1.1" 404 296
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
migrants.twblog.net 217.78.189.112 - - [18/Aug/2007:01:34:08 +0100] "GET http://migrants.twblog.net/archives/000514.html HTTP/1.0" 404 303
bbs.51cto.com 77.70.106.4 - - [18/Aug/2007:01:34:08 +0100] "POST http://bbs.51cto.com:80/post.php?action=re...replysubmit=yes HTTP/1.0" 404 285
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:08 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:09 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:09 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:09 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:09 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
images.google.com 61.81.17.36 - - [18/Aug/2007:01:34:09 +0100] "GET http://images.google.com/ HTTP/1.0" 403 5044
ariel.sagum.net 217.78.189.112 - - [18/Aug/2007:01:34:09 +0100] "GET http://ariel.sagum.net/blog/index.php?p=58 HTTP/1.0" 404 293
www.abcsearch.com 82.10.190.102 - - [18/Aug/2007:01:34:09 +0100] "GET http://www.abcsearch.com/cgi-bin/search/mx...its_Per_Page=10 HTTP/1.0" 404 305
www.maireadnesbitt.com 216.255.179.34 - - [18/Aug/2007:01:34:10 +0100] "GET http://www.maireadnesbitt.com/guestbook/gu...ook.php?act=new HTTP/1.0" 404 309
baran-eblan.info 66.232.112.80 - - [18/Aug/2007:01:34:10 +0100] "POST http://baran-eblan.info/proxyspamit/CheckProxy.php HTTP/1.0" 404 306
popunder.adsrevenue.net 82.10.190.102 - - [18/Aug/2007:01:34:10 +0100] "GET http://popunder.adsrevenue.net/popup.php?1...blk=1&fc=-1 HTTP/1.1" 404 296
89.149.194.208 89.149.194.208 - - [18/Aug/2007:01:34:10 +0100] "POST http://89.149.194.208/proxy/get.php HTTP/1.1" 404 291
www.senderisme.org 77.70.106.4 - - [18/Aug/2007:01:34:10 +0100] "POST http://www.senderisme.org:80/modules.php?n...2d66f0f6637f122 HTTP/1.0" 404 293
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:10 +0100] "GET http://media.fastclick.net/w/get.media?sid...amp;d=j&t=s HTTP/1.1" 404 294
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:10 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
deepbluerecords.co.uk 62.85.45.65 - - [18/Aug/2007:01:34:10 +0100] "GET http://deepbluerecords.co.uk/forum/index.php HTTP/1.0" 404 300
209.73.169.23 142.167.42.25 - - [18/Aug/2007:01:34:11 +0100] "GET http://209.73.169.23/config/isp_verify_use...nXX&p=river HTTP/1.0" 404 299
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:11 +0100] "GET http://media.fastclick.net/w/get.media?t=s...s.co.uk&d=f HTTP/1.1" 404 294
members.killergram.com 85.235.235.143 - - [18/Aug/2007:01:34:11 +0100] "GET http://members.killergram.com/ HTTP/1.0" 403 5044
rs146l3.rapidshare.com 24.186.136.239 - - [18/Aug/2007:01:34:11 +0100] "GET http://rs146l3.rapidshare.com/cgi-bin/uplo...5371436&r=6 HTTP/1.1" 404 306
www.google.com 216.98.148.6 - - [18/Aug/2007:01:34:11 +0100] "GET http://www.google.com/search?hl=en&q=map&lr= HTTP/1.1" 404 284
yourlite.info 206.51.228.227 - - [18/Aug/2007:01:34:11 +0100] "POST http://yourlite.info/info.php HTTP/1.1" 404 285
www.miamiboyz.com 72.87.116.233 - - [18/Aug/2007:01:34:11 +0100] "HEAD http://www.miamiboyz.com/members/index.html HTTP/1.1" 404 -
www.miamiboyz.com 72.87.116.233 - - [18/Aug/2007:01:34:12 +0100] "HEAD http://www.miamiboyz.com/members/index.html HTTP/1.1" 404 -
www02.so-net.ne.jp 66.199.248.234 - - [18/Aug/2007:01:34:12 +0100] "POST http://www02.so-net.ne.jp/~c-ookubo/cgi-bin/yokoharumi.cgi HTTP/1.1" 404 314
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:12 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
216.127.136.213 222.233.52.153 - - [18/Aug/2007:01:34:12 +0100] "CONNECT 216.127.136.213:25 HTTP/1.0" 405 306
205.188.179.233 83.167.110.141 - - [18/Aug/2007:01:34:12 +0100] "CONNECT 205.188.179.233:443 HTTP/1.0" 405 307
205.188.179.233 83.167.110.141 - - [18/Aug/2007:01:34:12 +0100] "CONNECT 205.188.179.233:443 HTTP/1.0" 405 307
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
www.brianrobert.com 62.85.45.65 - - [18/Aug/2007:01:34:12 +0100] "GET http://www.brianrobert.com/cgi-bin/advmess...0&ptime=all HTTP/1.0" 404 309
sb.google.com 24.186.136.239 - - [18/Aug/2007:01:34:12 +0100] "GET http://sb.google.com/safebrowsing/update?c...enchash:1:31676 HTTP/1.1" 404 296
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:12 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
www.xxlfinder.com 91.192.116.23 - - [18/Aug/2007:01:34:12 +0100] "POST http://www.xxlfinder.com/check.php HTTP/1.1" 404 290
www.xxlfinder.com 91.192.116.23 - - [18/Aug/2007:01:34:12 +0100] "POST http://www.xxlfinder.com/check.php HTTP/1.1" 404 290
login.icq.com 210.215.4.157 - - [18/Aug/2007:01:34:13 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 405 305
www.ip2location.com 87.20.103.41 - - [18/Aug/2007:01:34:13 +0100] "GET http://www.ip2location.com/?s=google HTTP/1.1" 403 5044
www.ticketmaster.com 208.177.78.7 - - [18/Aug/2007:01:34:13 +0100] "GET http://www.ticketmaster.com/event/1D003E7B1512D9CB HTTP/1.1" 404 306
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:13 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
3ack.com 219.120.50.18 - - [18/Aug/2007:01:34:13 +0100] "GET http://3ack.com/xyz.html HTTP/1.1" 404 280
www.ip2location.com 87.20.103.41 - - [18/Aug/2007:01:34:13 +0100] "GET http://www.ip2location.com/?s=google HTTP/1.1" 403 5044
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:13 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:13 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
webhost1.ly.gov.tw 77.70.106.4 - - [18/Aug/2007:01:34:13 +0100] "POST http://webhost1.ly.gov.tw:80/10610/xoops2/.../newbb/post.php HTTP/1.0" 404 317
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:13 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:13 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
iamalec.net 217.78.189.112 - - [18/Aug/2007:01:34:13 +0100] "GET http://iamalec.net/blog/index.php?op=ViewA...23&blogId=1 HTTP/1.0" 404 289
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
www.ticketmaster.com 66.39.218.5 - - [18/Aug/2007:01:34:14 +0100] "GET http://www.ticketmaster.com/event/09003E7CC9E85DB3 HTTP/1.1" 404 306
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:14 +0100] "GET http://media.fastclick.net/w/get.media?t=s...ame.com&d=f HTTP/1.1" 404 294
media.fastclick.net 82.10.190.102 - - [18/Aug/2007:01:34:14 +0100] "GET http://media.fastclick.net/w/get.media?sid...amp;d=j&t=s HTTP/1.1" 404 294
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
www.xxlfinder.com 91.192.116.23 - - [18/Aug/2007:01:34:14 +0100] "POST http://www.xxlfinder.com/check.php HTTP/1.1" 404 290
www.xxlfinder.com 91.192.116.23 - - [18/Aug/2007:01:34:14 +0100] "POST http://www.xxlfinder.com/check.php HTTP/1.1" 404 290
ww2.ditto.com 60.167.129.32 - - [18/Aug/2007:01:34:14 +0100] "GET http://ww2.ditto.com:80/reddt.php?mc=T%2FI....1%3B+DigExt%29 HTTP/1.1" 404 286
azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "POST http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284
65.54.245.40 222.233.52.158 - - [18/Aug/2007:01:34:14 +0100] "CONNECT 65.54.245.40:25 HTTP/1.0" 405 303

Link to comment
Share on other sites
uhmcastillo Newbie

uhmcastillo

Posted
Posted

Well, that is interesting... And those log entries are making crap requests.  Try a non-standard port, just to make sure it's not something wrong with the server.  See if there's a pattern among the IP addresses in the logs.  Maybe it's a DDOS attack?  Past that, I'm not sure, anyone else?

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

Yap - seems as if you have some worm or exploit on your server :(

 

See: http://www.ossec.net/en/loganalysis.html

 

Basically, you have the following requests in your access.log:

azsx.biz 66.232.125.253 - - [18/Aug/2007:01:34:14 +0100] "GET http://azsx.biz/zx/proxy.php HTTP/1.1" 404 284

 

Its as if there is a proxy script or some exploit allowing people to use your server as a middle man. I.e. a person from "66.232.125.253" is using your computer to "GET http://azsx.biz/zx/proxy.php".

 

A typical apache request is as follows:

123-255-50-154.net - - [18/Aug/2007:11:40:24 +0100] "GET /mortise_chisel.jpg HTTP/1.1" 200 1027

 

...do you see the differences in the GET string. Typicall apache should *ONLY* be GET or POST to local files, not http://someoneelsesserver.com/files.

 

 

You seem to have it narrowed down to the forum software - so thats good. I would immediately disable and upgrade it to its latest release. You will also have to do a search for any files downloaded onto the server. If you had server monitoring you would have noticed the huge spike in incoming traffic when the exploit first started.

 

Best of luck cleaning out the server.

 

-steve

Link to comment
Share on other sites
jaymc Advanced Member

jaymc

Posted
  • Author
Posted

Ok, Ive done a bit of testing and hears what I find

 

1: If I put a .htaccess file in the forum DIR the spamming continues

2: If I rename the index.php file to indexssss.php the forum is inaccessable but the spamming continues

3: If I rename every sub folder to dirname_BLOCK the spamming continues

4: If I place a .htaccess file in every sub folder of the forum the spamming continues

5: If I name the forums folder from forum to forum_BLOCK the spamming continues

 

It cant be a forum exploit or loophole in code.

 

its my domain thats the target, but not the files within that domain. I did have an open proxy server, I received a report from the datacentre about it so took it off. It appears that this has been the cause of what ever is happening but with it being disable I cant understand how my server is being used to pass inforfrom users to website with my server as the middle one

 

If its not a proxy server and if its not bad code then what can it be?

 

Any advice would be great, Im stuck as hell!

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

Humm...I thought when you initally said "when its .htaccess'd its fine".

 

So....somehow you have some webapp installed somewhere that;s causing this.

 

Anyways, a few things:

is mod_proxy installed?

are you doing mod_rewrites?

 

Can you disable a particular vhost and see if the spamming continues?

Disabling a folder/file here and there might not do much good.

 

Are there *ANY* traces of that old open proxy server?? Thats probably how they tracked down your server in the first place IMO.

 

You need to take more stringent action, directly editing and commenting out sites from apache (httpd.conf).

 

Also, put a few rules into the firewall to block the main offenders. That might slow down the spamming so you can actually see whats going on.

 

G'Luck,

-steve

Link to comment
Share on other sites
jaymc Advanced Member

jaymc

Posted
  • Author
Posted

Resolved now. The issue was an old proxy I had is listed in some kind of program which people are trying to use

 

The reason the forum was effected is because thats the first VHOST in my apache conf

 

On each request it was requesting the forum DIR thus generation I/* for mysql

 

Thanks for advice guys !

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.