Worrying Log Files

[Captain Crunch]

Hello,

 

I was wondering if anyone can help me with the following. I have just looked at my log files for my website on a TCH webserver, and found the following:

 

[Fri Sep 15 04:21:21 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/download+free+Beat+Craft.htm

[Fri Sep 15 04:21:09 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/winme+key+patch-to-full.htm

[Fri Sep 15 04:20:57 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/Mister+Pix+II+v2.10.zip.htm

[Fri Sep 15 04:20:46 2006] [error] [client 66.249.66.232] File does not exist: /home/xxxxx/public_html/txtlist/archive/descargar+rmx+converter.htm

 

This is just a small selection of it. When I look these up on the internet, they are usually bittorrent ads.

 

So my questions are:

 

1) Is this a ossible security risk ie. Have I not done something to protect myself

2) Is there anyway I can stop this? Some of the queries are turning up in google, and although they may not be getting access to any of my data?, it still makes my company look bad.

 

Any help would be much appreciated.

 

Regards,

CC

[TCH-JimE]

Hello Captain Crunch

 

Welcome to the forums. What you are seeing in your logs is not unusual. Am I guessing that you do not have that directory at all? I would suggest putting in a 404 error page first off that redirects back to your main page.

 

Have you tried setting up a googlesitemap and are your robots.txt set up ok too?

 

JimE

[TCH-Bruce]

Welcome to the forums Captain Crunch

[TCH-Thomas]

Welcome to the forum, Captain Crunch.

[TCH-Don]

Welcome to the forum, Captain Crunch

I see similar requests, they result in the 404 error page being displayed.

My error page looks like any other page on my site and has the same links to other pages.

[Captain Crunch]

Just a quick post letting you guys know what the problem was.

 

One of my directories had been exploited and a number of .php files had been uploaded. The hacker was using my site as a "launching pad" for dodgy searches (mostly coming from US tech centres)

 

So, if you see any logs like the ones I posted, I recommend you take the time to look into the entries (even if you don't think you have some of the directories listed).

 

Regards,

Cap'n Crunch.

[dcumpian]

Just a quick post letting you guys know what the problem was.

 

One of my directories had been exploited and a number of .php files had been uploaded. The hacker was using my site as a "launching pad" for dodgy searches (mostly coming from US tech centres)

 

So, if you see any logs like the ones I posted, I recommend you take the time to look into the entries (even if you don't think you have some of the directories listed).

 

Regards,

Cap'n Crunch.

 

Any ideas on how the directory was exploited?

 

Regards,

Dan

[annie]

Webspammers have started hacking websites in order to serve up spam and do other things related to spamming.

 

Download the php files with ftp or cpanel, in order to check what's in them. Browsing to them via a browser won't let you view the code.

 

Some of those files are obfuscated, but it's possible to deobfuscate them. Quite often they point to another site via includes.

[Captain Crunch]

It is difficult to tell, as I the cpanel doesn't allow me to view all of my logs since the inception of the site.

 

My guess is that it was a custom login script that I wrote.

 

They chmod'd a number of files which turned out to be the real nightmare in the whole ordeal. It wasn't that difficult to delete the php scripts they had uploaded.

 

As Annie said, they were "redirect" scripts for spammers, encoded with base64, pointing to mostly russian domains.

 

If anyone is looking for a good (and safe) decoder for base 64, I found this one to be useful:

 

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

 

Regards,

The Captain