Jump to content

Attempted Site Break In


Etanisla

Recommended Posts

Reading through the overnight access logs, I found this entry:

 

>200-158-70-148.dsl.telesp.net.br - - [13/May/2004:08:42:53 -0500] "POST /admin.php?op=AddAuthor&add_aid=kiegera&add_name=Goda&add_pwd=playboya&add_email=r00t_System@hush.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox HTTP/1.0" 404 - "-" "Mozilla 4.0 (Linux)"

 

There were no other entries from that address. Only that POST attempt.

 

Read through the line carefully, you will see that this person attempted to add himself to the author list as a 'super admin' with full powers over the site.

 

Doing a quick google of 'kiegera' and 'r00t_System@hush.com' turned up 6 pages of sites that had been defaced by Kiegera.

 

I've since put 200.158.70.148 on my 'deny from' list in .htaccess.

 

Check your logs.

Link to comment
Share on other sites

That's an attempt to use one of PHP-Nuke's various vulnerabilities. I generally would recommend against using PHP-Nuke, but if you must use it, you can get a slight bit more of immediate security by modifying the version that cPanel installs using a fix posted here.

 

You would be best served, though, to manually upgrade to the latest (ver 7.3 currently). PHP-Nuke versions through 7.2 are known to have multiple vulnerabilities.

 

If you don't use PHP-Nuke, then you don't have to worry about requests like above. :)

Link to comment
Share on other sites

I don't use PHP-Nuke. (I'm not even sure if it is a portal software, news management, or some hybrid thereof).

 

The only scripts (or script-like) I have going is the chat offered through cpanel, and WordPress for my blog. And the chat page is about to be removed for lack of use :)!

 

Thank you for jumping on this so quickly.

 

P.S. The bugger just tried 'POST' again! Five more entries. All 403'd. Ahh, what a lovely number, 403.

Link to comment
Share on other sites

OK, so this is a very newbie question...

 

How did you look up those stats to find that there was an attempted break-in? I know it's in cPanel, but where in cPanel are the access logs?

Link to comment
Share on other sites

@kaseytraeger: If your cpanel is set up the same way as mine, (and I'm sure it is), you can find the raw logs at the "Raw Access Logs" icon, and a quick rundown of the last 300 visitors by clicking on "Web/FTP Stats", then on "Latest Visitors".

 

What I do, is click on the "Latest Visitors" to get a basic idea of who's looking, and then if I see an interesting IP or referral, open the raw log to get the details.

 

Makes for interesting traffic analysis...

Link to comment
Share on other sites

You can look at your error page to see what has come up missing.

Don,

 

Here's a look at what I had in my error log. Does this mean that I need to create the files listed? (e.g., 404.shtml, favicon.ico ...)

 

[Thu May 13 18:08:53 2004][error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/doggydiaries/404.shtml

[Thu May 13 18:08:53 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/doggydiaries/favicon.ico

[Thu May 13 16:36:11 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/404.shtml

[Thu May 13 16:36:11 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/favicon.ico

[Thu May 13 13:21:09 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/404.shtml

[Thu May 13 13:21:09 2004] [error] [client 134.79.82.61] File does not exist: /home/pudgy/public_html/favicon.ico

[Thu May 13 12:11:53 2004] [error] [client 64.242.88.10] File does not exist: /home/pudgy/public_html/404.shtml

[Thu May 13 12:11:53 2004] [error] [client 64.242.88.10] File does not exist: /home/pudgy/public_html/robots.txt

 

I've already uploaded my old robots.txt file. Guess I forgot to do that when I last had tech support scrub my web space due to some problems I was having. So that one shouldn't pose a problem anymore (at least, that's what I'm hoping!)

 

Also, am I correct in my assumption that these error log messages are generated when someone is specifically looking for that particular page and can't find it?

Link to comment
Share on other sites

Etanisla,

 

Thanks for the info. I'll have to do as you described and check my logs when I have a few moments to sit down and digest them. I think I remember seeing something about Raw Log under my STATS in cPanel, but when I clicked it, it wanted to create a tar ball for me. I cancelled that request because I didn't know what I was doing...

Link to comment
Share on other sites


That tar ball is the compressed file. Save it to your favorite location, and extract it with your favorite utility. (I use WinRAR to extract .gz files on my WinXP box, my Linux box can handle it without extra help.)

 

The resulting text file is the current month's info. New entries are at the bottom.

 

Each line contains info in this order:

[iP address] - - [Date Time Timezone-correction] [process]


[browser compliance] [result code] [referrer, if any] [type of browser or user agent]

 

If you suspect something, or are generally nosy like me, you can run a google search with some of these items. Sometimes the results are really surprising.

 

HTH!

Etanisla

Link to comment
Share on other sites

Does this mean that I need to create the files listed? (e.g., 404.shtml, favicon.ico ...)

 

Also, am I correct in my assumption that these error log messages are generated when someone is specifically looking for that particular page and can't find it?

You don't have to create those files. The favicon is the little icon in the address bar of your browser when you go to certain sites and the 404.shtml is what visitors see when they look for a page that's not there.

 

I would recommend a 404 page just to look professional if they follow a bad link or type something wrong.

 

Anytime someone goes to your sites the favicon is looked for so the browser can display it if found, and I think the 404 is too but I'm not sure about that one. It does not mean necessarily that folks are looking for those particular pages.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...