Community Forums
Connect with us on LinkedIn
Hack attempt from within?
  
+ Reply to Thread
Results 1 to 5 of 5
  1. 04-03-2006 10:25 PM #1
    jols
    jols is offline
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default Hack attempt from within?

    I am seeing a bazillion of these log entires in - /usr/local/apache/logs/access_log

    Any idea what may be going on here?


    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    Reply With Quote Reply With Quote
  2. 04-03-2006 11:40 PM #2
    AndyReed
    AndyReed is offline
    cPanel Partner NOC cPanel Partner NOC Badge AndyReed's Avatar
    Join Date
    May 2004
    Location
    Minneapolis, MN
    Posts
    2,223

    Default

    Quote Originally Posted by jols
    I am seeing a bazillion of these log entires in - /usr/local/apache/logs/access_log

    Any idea what may be going on here?


    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    Secure your server before it is too late. Did you check other log files, and directories such as /tmp, for other possible vulnerabilities?
    Andy Reed
    RHCE and CCNA
    ServerTune.com
    Reply With Quote Reply With Quote
  3. 04-04-2006 12:05 AM #3
    jols
    jols is offline
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    Thanks, checking now.

    Now we are seeing a ton of these in the apache access log

    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137

    Any other advice?
    Reply With Quote Reply With Quote
  4. 04-04-2006 12:16 AM #4
    jols
    jols is offline
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    After running rkhunter, I am seeing this:

    Port 2001: Scalper Rootkit [ Warning! (possible trojan port) ]

    False alarm perhaps?
    Reply With Quote Reply With Quote
  5. 04-04-2006 12:47 AM #5
    jols
    jols is offline
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    Okay, yup. Looks like the Scalper note is a false alarm produced by PortSentry.
    Reply With Quote Reply With Quote
«   Local DNS, first mx remote and second mx local | what is wrong with my website? »     
Similar Threads & Tags
Similar threads

  1. Is this a concerted attempt to hack into box?
    By melsworld in forum Security
    Replies: 7
    Last Post: 04-25-2008, 06:22 AM
  2. Is This A Hack Attempt!?!?!
    By jthomas in forum cPanel and WHM Discussions
    Replies: 4
    Last Post: 06-18-2007, 09:22 PM
  3. Hack attempt - I wish someone could tell me how to stop this.
    By jols in forum cPanel and WHM Discussions
    Replies: 11
    Last Post: 09-23-2006, 04:54 PM
  4. Attempt to hack and threatening members
    By Markwaugh in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 10-29-2003, 08:20 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube