marlene

Wow - I was just going through the website logs and saw the below requests. My guess is a hacker's bot scraper. Will it do any good to block the IP address? Is there anything I should do on my end? marlene 72.167.253.108 - - [29/Jun/2011:18:54:17 -0400] "GET /muieblackcat HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:17 -0400] "GET /muieblackcat HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:18 -0400] "GET //scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:18 -0400] "GET //scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:18 -0400] "GET //admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:18 -0400] "GET //admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //db/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //db/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:19 -0400] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //mysql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:20 -0400] "GET //mysql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:21 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:21 -0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:21 -0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:21 -0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:21 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:22 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //web/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:23 -0400] "GET //web/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:24 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:24 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:25 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:25 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:26 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:26 -0400] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:26 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:26 -0400] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:26 -0400] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:27 -0400] "GET //p/m/a/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:27 -0400] "GET //PMA2005/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:27 -0400] "GET //pma2005/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:27 -0400] "GET //phpmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:27 -0400] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:28 -0400] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:28 -0400] "GET //webadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:28 -0400] "GET //sqlweb/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:28 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:28 -0400] "GET //webdb/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:29 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:29 -0400] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:29 -0400] "GET //databaseadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:29 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:30 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:31 -0400] "GET //admm/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:31 -0400] "GET //admn/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:31 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:31 -0400] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:31 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:32 -0400] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:37 -0400] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:37 -0400] "GET //p/m/a/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:38 -0400] "GET //PMA2005/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:38 -0400] "GET //pma2005/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:38 -0400] "GET //phpmanager/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:39 -0400] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:40 -0400] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:40 -0400] "GET //webadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:40 -0400] "GET //sqlweb/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:45 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:46 -0400] "GET //webdb/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:47 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:47 -0400] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:47 -0400] "GET //databaseadmin/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:48 -0400] "GET //admm/scripts/setup.php HTTP/1.1" 404 - "-" "-" 72.167.253.108 - - [29/Jun/2011:18:54:48 -0400] "GET //admn/scripts/setup.php HTTP/1.1" 404 - "-" "-"

I spoke with a tech via live chat. I was told the same thing....can't be done. Would it do any good to open a ticket?

Well that is extremely disappointing. As a domain owner, I think I should have the capability of controlling what the users can and cannot do. I especially don't want email passwords changed without prior authorization.

I would like to prevent unauthorized webmail users from having some/all the options available to them when logging into their webmail account such as; Change Password, Forwarding Options, Auto Responders, ConfigureMail Client, Email Delivery Route, Email Filtering. How do I disable these options for certain email accounts for my domain? marlene

Thank you for your quick response and informative answer. marlene

I have denied a specific IP address via the IP Deny feature in Cpanel to prevent unauthorized access to a particular webmail account. The unauthorized user has the current email account password. Changing the password is not an option at this time as it is being used at a different IP location and I would open a can of worms if the password was changed. The denied IP is still able to access webmail apparently, as I see the IP in my logs as getting a 200 served up for the webmail. At least it appears as though it is getting into the webmail because the log entry looks the same as the other users accessing the webmail. Does the IP Deny in Cpanel deny IP access to webmail? If not, have I no other option than to change the password? marlene

Oh...thanks so much for checking all this out. I did assign passwords that I feel are secure, but maybe I should reassign them, just in case. I have banned the IP, so I will wait to see if an employee complains about not getting into webmail. However, when instructing the employees on how to access the webmail in the first place, I didn't mention anything about this "magic" thing because I had no knowledge of it. Thanks again. You guys are great. marlene

I agree with banning the IP. Are you familiar with the cpanel reference? cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico I only see it when the suspect IP hits the site. marlene

I downloaded my log thus far for December and noted again that someone at the IP address of: 99.129.232.64 OrgName: AT&T Internet Services OrgID: SIS-80 Address: 2701 N. Central Expwy # 2205.15 City: Richardson StateProv: TX PostalCode: 75080 Country: US has been trying to get into the webmail of my employer's website in a manner that serves a 404 error. The attempt is made every day and yesterday there were 10 attempts within four minutes. All have served 404 errors except one. The entries are almost always like the first example below and are usually in the evening hours, but the second example is slightly different (underlined difference): 99.129.232.64 - - [01/Dec/2009:19:34:02 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.2.1910.1554; Windows 6.0; MSIE 8.0.6001.18828)" 99.129.232.64 - - [03/Dec/2009:21:36:41 -0500] "GET /cPanel_magic_revision_1187248694/webmail/x3/branding/favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; GoogleToolbar 6.3.1106.427; Windows 6.0; MSIE 8.0.6001.18828)" This is the first time I saw this entry for the IP and looks like it got somewhere (served up a 200): 99.129.232.64 - - [02/Dec/2009:19:44:45 -0500] "GET /webmail HTTP/1.1" 200 5064 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30729)" The corresponding entry in the AWstats for the 3rd example: 99-129-232-64.lightspeed.milwwi.sbcglobal.net (pages)1 (hits)1 4.95 KB 02 Dec 2009 - 19:44 We have employees that use webmail and I see their entries all the time and there is never this "cpanel_magic_revision" text in their entries. This IP and it's resulting 404 errors are constantly in my log files. I have received no complaints from the employees regarding not being able to access webmail. Is this a hack attempt into the webmail? Is this something to worry about? Is there something I need to do besides banning the IP? I am not well educated on how to read user agents and such so I don't understand any of that in the log entry. The reason I am a bit paranoid about hacks into the emails is because due to the nature of the business, frequently sensitive information is contained in the messages. Thanks for any assistance given. marlene

Oh! Well, that shouldn't be too hard then. Thanks very much! marlene

Thank you, Bruce. I did not create any error pages. I did try to do that through the cpanel error pages feature, but it was a little over my head. I will have to do some studying and learn how to do that. marlene

Thank you for your response, Carl. I just submitted a ticket and will await a response. marlene

I think it was last week...my site was down with a HTTP Error 500 - Internal server error. I submitted a help ticket and my site was up after a bit, but no explanation for the error as I had requested. I now have an .htaccess file that is new and has nearly nothing in it; where as I had many lines of code in my two other ones, which are still in my cpanel and have been renamed by the tech support, also with no explanation. Those files have all the rewrite rules, robots.txt files, allows and denys, etc. This is all that is in my .htaccess file now: <Files 403.shtml> order allow,deny allow from all </Files> deny from 92.0.0.0/8 deny from 38.105.83.11

While adding an IP deny in cpanel, I saw that all the IP's I had previously denied are no longer listed. I am guessing that they were deleted, but not by me. Looks like I'll have to start over, losing abt 1 1/2 years worth of IP denying. Any idea what happened? marlene

My site has some very basic php includes for navigation, footer and so forth. I have an extremely limited understanding of php scripting; so limited that I'm not even sure if the includes I use are considered a script. This: <?php include("/includes/topmenu.txt"); ?> is an example of the "script". Today I noted two entries in my error log: [Wed Aug 05 20:19:34 2009] [error] [client 38.105.83.11] File does not exist: /home/***my user name***/public_html/404.shtml, referer: http://www.talithagems.com/sitemap.php'>http://www.talithagems.com/sitemap.php [Wed Aug 05 20:19:34 2009] [error] [client 38.105.83.11] script '/home/***my user name***/public_html/pendants/silver/turq_cab.php' not found or unable to stat, referer: http://www.talithagems.com/sitemap.php[/size] An ARIN check on the IP address reveals: OrgName: PSINet, Inc. OrgID: PSI Address: 1015 31st St NW City: Washington StateProv: DC PostalCode: 20007 Country: US The first entry doesn't concern me so much as I have seen these types of errors before even though I have no shtml pages. It's the 2nd entry that is more than puzzling. The page requested was missing from my site and I have since re-uploaded it, so the error served was correct. It's the script' part I am wondering about. Is this a normal consequence of a 404 error? Any help is greatly appreciated! marlene