Jump to content

Worrying Log Files


Recommended Posts

Hello,

 

I was wondering if anyone can help me with the following. I have just looked at my log files for my website on a TCH webserver, and found the following:

 

[Fri Sep 15 04:21:21 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/download+free+Beat+Craft.htm

[Fri Sep 15 04:21:09 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/winme+key+patch-to-full.htm

[Fri Sep 15 04:20:57 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/Mister+Pix+II+v2.10.zip.htm

[Fri Sep 15 04:20:46 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/descargar+rmx+converter.htm

 

This is just a small selection of it. When I look these up on the internet, they are usually bittorrent ads.

 

So my questions are:

 

1) Is this a ossible security risk ie. Have I not done something to protect myself

2) Is there anyway I can stop this? Some of the queries are turning up in google, and although they may not be getting access to any of my data?, it still makes my company look bad.

 

Any help would be much appreciated.

 

Regards,

CC

Link to comment
Share on other sites

Hello Captain Crunch

 

Welcome to the forums. What you are seeing in your logs is not unusual. Am I guessing that you do not have that directory at all? I would suggest putting in a 404 error page first off that redirects back to your main page.

 

Have you tried setting up a googlesitemap and are your robots.txt set up ok too?

 

JimE

Link to comment
Share on other sites

  • 2 weeks later...

Just a quick post letting you guys know what the problem was.

 

One of my directories had been exploited and a number of .php files had been uploaded. The hacker was using my site as a "launching pad" for dodgy searches (mostly coming from US tech centres)

 

So, if you see any logs like the ones I posted, I recommend you take the time to look into the entries (even if you don't think you have some of the directories listed).

 

Regards,

Cap'n Crunch.

Link to comment
Share on other sites

Just a quick post letting you guys know what the problem was.

 

One of my directories had been exploited and a number of .php files had been uploaded. The hacker was using my site as a "launching pad" for dodgy searches (mostly coming from US tech centres)

 

So, if you see any logs like the ones I posted, I recommend you take the time to look into the entries (even if you don't think you have some of the directories listed).

 

Regards,

Cap'n Crunch.

 

Any ideas on how the directory was exploited?

 

Regards,

Dan

Link to comment
Share on other sites

Webspammers have started hacking websites in order to serve up spam and do other things related to spamming.

 

Download the php files with ftp or cpanel, in order to check what's in them. Browsing to them via a browser won't let you view the code.

 

Some of those files are obfuscated, but it's possible to deobfuscate them. Quite often they point to another site via includes.

Link to comment
Share on other sites

It is difficult to tell, as I the cpanel doesn't allow me to view all of my logs since the inception of the site.

 

My guess is that it was a custom login script that I wrote.

 

They chmod'd a number of files which turned out to be the real nightmare in the whole ordeal. It wasn't that difficult to delete the php scripts they had uploaded.

 

As Annie said, they were "redirect" scripts for spammers, encoded with base64, pointing to mostly russian domains.

 

If anyone is looking for a good (and safe) decoder for base 64, I found this one to be useful:

 

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

 

Regards,

The Captain

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...