Hacking Attempt?

[Pony99CA 0]

I occasionally see a bunch of errors in my error log as shown below:

 

[sun Sep 26 12:15:20 2004][error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/questionanswer.do

[sun Sep 26 12:15:20 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/memberList.do

[sun Sep 26 12:15:20 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/helptips.do

[sun Sep 26 12:15:19 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/stopnotify.do

[sun Sep 26 12:15:19 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/postanswer.do

[sun Sep 26 12:15:18 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/setFavorites.do

[sun Sep 26 12:15:18 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/publicProfile.do

[sun Sep 26 12:15:17 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/

[sun Sep 26 12:13:57 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/service/forums/home.do

[sun Sep 26 12:11:54 2004] [error] [client 63.148.99.234] File does not exist: /home/pocketpc/public_html/mailto:comments@svpocketpc.co&

 

I don't even have a service directory in my public_html directory, so this isn't somebody using a broken link somewhere. (I don't even know what .do files are.)

 

Is somebody scanning the network looking for vulnerabilities? If so, should I ban that IP address to avoid bandwidth usage?

 

Steve

[TCH-Dick 25]

Those errors are being caused by the page you have from HP.com

http://www.svpocketpc.com/HP_Thread.html

Since they use relative links they page you posted a copy of is treating them like internal links. I would edit that page to reflect the original location or remove the links.

 

also I sent you a PM about something that might be of interest to you

[Pony99CA 0]

Those errors are being caused by the page you have from HP.com

http://www.svpocketpc.com/HP_Thread.html

Since they use relative links they page you posted a copy of is treating them like internal links. I would edit that page to reflect the original location or remove the links.

Ah, that makes sense. I had fixed the obvious links (graphics), but didn't think to look for other links.

 

Did you just search my pages for the ".do" links to find what page had the error? I had searched on the mailto link in the local copy of my site, but didn't get any hits. As I didn't realize I had any .do links, I didn't try searching for them.

 

Thanks for the heads up. Thumbs Up

 

Steve

[TCH-Dick 25]

I tried searching for the ".do" links but found nothing. Then I searched for them on Google and seen all the references to HP, so I searched your site for "HP" and there it was.

[Pony99CA 0]

I just saw these errors in my log:

 

[Mon Sep 27 06:55:32 2004][error] [client 81.138.10.219] script not found or unable to stat: /home/pocketpc/public_html/cgi-bin/formmail

[Mon Sep 27 06:55:19 2004] [error] [client 207.250.10.170] File does not exist: /home/pocketpc/public_html/scripts/formmail.pl

[Mon Sep 27 06:55:18 2004] [error] [client 210.72.24.6] script not found or unable to stat: /home/pocketpc/public_html/cgi-bin/sendlink.pl

Are those spammers trying to find code to exploit and send spam with? It's interesting that they occurred at about the same time, but came from different IP addresses.

 

I have my own form mailing script which doesn't use those scripts. After my last question, I also checked the HP page, which didn't use any of those scripts, either.

 

Steve

[TCH-Dick 25]

Yes those are most likely spammers probing for insecure scripts. I get them on occasion too. We has a little discussion about this a couple of months ago.