cPanel_magic_revision --> Looks like the hackers found something new to attack?

**jols** · 07-15-2008 06:27 PM

Suddenly I am seeing tons of stuff like this in the general Apache logs:

203.30.105.238 - - [14/Jul/2008:00:48:24 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/squirrelmail_logo.gif HTTP/1.0" 200 3511
203.30.105.238 - - [14/Jul/2008:00:48:24 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/horde.gif HTTP/1.0" 200 1579
203.30.105.238 - - [14/Jul/2008:00:48:24 -0500] "GET /cPanel_magic_revision_1127657883/3rdparty/roundcube/skins/default/images/roundcube_logo.png HTTP/1.0" 200 4868
203.30.105.238 - - [14/Jul/2008:00:48:24 -0500] "GET /cPanel_magic_revision_1184740284/webmail/x3/branding/password.jpg HTTP/1.0" 200 1263
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740284/webmail/x3/branding/forwardersemail.gif HTTP/1.0" 200 1372
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740280/webmail/x3/branding/responder.jpg HTTP/1.0" 200 685
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740281/webmail/x3/branding/manageaccounts.gif HTTP/1.0" 200 1639
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740285/webmail/x3/branding/boxtrapper.gif HTTP/1.0" 200 1688
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740281/webmail/x3/branding/ufiltering.jpg HTTP/1.0" 200 685
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1210150413/webmail/x3/js/webmaillogin_optimized.js HTTP/1.0" 200 4676
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/getstart-bg.jpg HTTP/1.0" 200 2784
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/getstart-bg.jpg HTTP/1.0" 200 2784
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/getstart-bg.jpg HTTP/1.0" 200 2784
203.30.105.238 - - [14/Jul/2008:00:48:25 -0500] "GET /cPanel_magic_revision_1184740262/webmail/x3/images/getstart-bg.jpg HTTP/1.0" 200 2784

Anyone know what the heck this may be all about?

Thanks much.

**daveformerlyof** · 07-16-2008 09:27 AM

These should not be successful. cPanel Magic Revision is a caching system which caches things like images and css sheets so your users don't have to reload them each time they user the interface. None of the cPanel Magic Revision items are available over port 80 unless you've configured apache to serve pages out of /usr/local/cpanel/ or any of its subdirectories.

You may wish to submit a ticket (see the link in my signature) so we can investigate why these requests are succeeding. I tested this on a live server here an was unable to reproduce.

**cpanelkenneth** · 07-17-2008 09:46 AM

You might be seeing those in the Apache logs if your users are using the Proxy Access feature (e.g. cpanel.example.com) to access the cPanel services.

**jols** · 07-18-2008 09:10 PM

Okay, thanks very much.

LinkBack

Thread Tools

cPanel_magic_revision --> Looks like the hackers found something new to attack?

Tired of hackers

Exim attack - "no IP address found for host" - causing high cpu load

Where do i report hackers?