The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

abuse originating from my server

Discussion in 'General Discussion' started by Jorel, Aug 3, 2005.

  1. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    I have abuse originating from my server. Here's the report I got. My provider is far too much on the budget end of the spectrum to provide very good support regarding this. But I must make the attacks stop. What steps should I follow to track and elminate this abuse?

    >> Date & Time: 2005-08-02 04:51:30
    >> Blocked IP: 209.67.216.234
    >> User ID: Anonymous (1)
    >> Reason: Abuse-Script

    Date & Time: 2005-08-02 06:15:03 EST (GMT-5)
    Blocked IP: 209.67.216.234
    User ID: Anonymous (1)
    Reason: Abuse-Script
    --------------------
    User Agent: Mozilla/4.0
    Query String:
    64bit.us/modules.php?name=Forums&file=viewtopic&t=83&highlight='.system(get
    env(HTTP_PHP)).'
    Forwarded For: none
    Client IP: none
    Remote Address: 209.67.216.234
    Remote Port: 45673
    Request Method: GET
    >> --------------------
    >> User Agent: Mozilla/4.0
    >> Query String:
    >> mike-force.com/modules.php?name=Forums&file=posting&mode=reply&t=32&highlight='.system(getenv(HTTP_PHP)).'
    >> Forwarded For: none
    >> Client IP: none
    >> Remote Address: 209.67.216.234
    >> Remote Port: 41973
    >> Request Method: GET
     
  2. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    in /tmp and /var/tmp i have a file called "xkernel" owned by nobody. could that be causing the problems?
     
  3. gpreston

    gpreston Well-Known Member

    Joined:
    Jan 31, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    West Chester, PA
    Take a look at the content of the files if they aren't binary. See if they look malicious. It does look like you have a worm of sorts that is preying on poor PHP code like the phpBB worms are/were doing. Also, do a 'netstat -a' and see if you see your server making outbound connections to other systems on port 80. You can also try checking the process list with 'ps -ef' to see if something peculiar is running.

    If you have a firewall installed on the machine, you can temporarily deny access outbound on port 80 while you are trying to troubleshoot the problem. That will at least stop the worms from going out and causing mischief while you are trying to find them.
     
  4. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How did you get this?
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I suggest you secure your server and stop these hackers and spammers from using your server as a launching pad for their attacks on other servers and SPAM.
     
Loading...
Similar Threads - abuse originating server
  1. damonewm
    Replies:
    3
    Views:
    202

Share This Page