Etanisla Posted May 13, 2004 Posted May 13, 2004 Reading through the overnight access logs, I found this entry: >200-158-70-148.dsl.telesp.net.br - - [13/May/2004:08:42:53 -0500] "POST /admin.php?op=AddAuthor&add_aid=kiegera&add_name=Goda&add_pwd=playboya&add_email=r00t_System@hush.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox HTTP/1.0" 404 - "-" "Mozilla 4.0 (Linux)" There were no other entries from that address. Only that POST attempt. Read through the line carefully, you will see that this person attempted to add himself to the author list as a 'super admin' with full powers over the site. Doing a quick google of 'kiegera' and 'r00t_System@hush.com' turned up 6 pages of sites that had been defaced by Kiegera. I've since put 200.158.70.148 on my 'deny from' list in .htaccess. Check your logs. Quote
MikeJ Posted May 13, 2004 Posted May 13, 2004 That's an attempt to use one of PHP-Nuke's various vulnerabilities. I generally would recommend against using PHP-Nuke, but if you must use it, you can get a slight bit more of immediate security by modifying the version that cPanel installs using a fix posted here. You would be best served, though, to manually upgrade to the latest (ver 7.3 currently). PHP-Nuke versions through 7.2 are known to have multiple vulnerabilities. If you don't use PHP-Nuke, then you don't have to worry about requests like above. Quote
TCH-Dick Posted May 13, 2004 Posted May 13, 2004 I would also take a look at Protector and Admin Secure I use Admin secure, it can be set up to auto block IP's that some trys any of the common phpnuke hacks from and send you an e-mail letting you know. Quote
Etanisla Posted May 13, 2004 Author Posted May 13, 2004 I don't use PHP-Nuke. (I'm not even sure if it is a portal software, news management, or some hybrid thereof). The only scripts (or script-like) I have going is the chat offered through cpanel, and WordPress for my blog. And the chat page is about to be removed for lack of use ! Thank you for jumping on this so quickly. P.S. The bugger just tried 'POST' again! Five more entries. All 403'd. Ahh, what a lovely number, 403. Quote
kaseytraeger Posted May 13, 2004 Posted May 13, 2004 OK, so this is a very newbie question... How did you look up those stats to find that there was an attempted break-in? I know it's in cPanel, but where in cPanel are the access logs? Quote
TCH-Don Posted May 13, 2004 Posted May 13, 2004 You can look at your error page to see what has come up missing. Quote
Etanisla Posted May 13, 2004 Author Posted May 13, 2004 @kaseytraeger: If your cpanel is set up the same way as mine, (and I'm sure it is), you can find the raw logs at the "Raw Access Logs" icon, and a quick rundown of the last 300 visitors by clicking on "Web/FTP Stats", then on "Latest Visitors". What I do, is click on the "Latest Visitors" to get a basic idea of who's looking, and then if I see an interesting IP or referral, open the raw log to get the details. Makes for interesting traffic analysis... Quote
kaseytraeger Posted May 13, 2004 Posted May 13, 2004 You can look at your error page to see what has come up missing. Don, Here's a look at what I had in my error log. Does this mean that I need to create the files listed? (e.g., 404.shtml, favicon.ico ...) [Thu May 13 18:08:53 2004][error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/doggydiaries/404.shtml[Thu May 13 18:08:53 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/doggydiaries/favicon.ico [Thu May 13 16:36:11 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/404.shtml [Thu May 13 16:36:11 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/favicon.ico [Thu May 13 13:21:09 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/404.shtml [Thu May 13 13:21:09 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/favicon.ico [Thu May 13 12:11:53 2004] [error] [client 64.242.88.10] File does not exist: /home/pudgy/public_html/404.shtml [Thu May 13 12:11:53 2004] [error] [client 64.242.88.10] File does not exist: /home/pudgy/public_html/robots.txt I've already uploaded my old robots.txt file. Guess I forgot to do that when I last had tech support scrub my web space due to some problems I was having. So that one shouldn't pose a problem anymore (at least, that's what I'm hoping!) Also, am I correct in my assumption that these error log messages are generated when someone is specifically looking for that particular page and can't find it? Quote
kaseytraeger Posted May 13, 2004 Posted May 13, 2004 Etanisla, Thanks for the info. I'll have to do as you described and check my logs when I have a few moments to sit down and digest them. I think I remember seeing something about Raw Log under my STATS in cPanel, but when I clicked it, it wanted to create a tar ball for me. I cancelled that request because I didn't know what I was doing... Quote
Etanisla Posted May 13, 2004 Author Posted May 13, 2004 That tar ball is the compressed file. Save it to your favorite location, and extract it with your favorite utility. (I use WinRAR to extract .gz files on my WinXP box, my Linux box can handle it without extra help.) The resulting text file is the current month's info. New entries are at the bottom. Each line contains info in this order: [iP address] - - [Date Time Timezone-correction] [process] [browser compliance] [result code] [referrer, if any] [type of browser or user agent] If you suspect something, or are generally nosy like me, you can run a google search with some of these items. Sometimes the results are really surprising. HTH! Etanisla Quote
Deverill Posted May 14, 2004 Posted May 14, 2004 Does this mean that I need to create the files listed? (e.g., 404.shtml, favicon.ico ...) Also, am I correct in my assumption that these error log messages are generated when someone is specifically looking for that particular page and can't find it? You don't have to create those files. The favicon is the little icon in the address bar of your browser when you go to certain sites and the 404.shtml is what visitors see when they look for a page that's not there. I would recommend a 404 page just to look professional if they follow a bad link or type something wrong. Anytime someone goes to your sites the favicon is looked for so the browser can display it if found, and I think the 404 is too but I'm not sure about that one. It does not mean necessarily that folks are looking for those particular pages. Quote
annie Posted May 14, 2004 Posted May 14, 2004 Firefox uncompresses the gzipped raw files on the fly, for some reason. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.