The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attempted Hack - or not?

Discussion in 'General Discussion' started by VeeMacBee, Nov 10, 2010.

  1. VeeMacBee

    VeeMacBee Registered

    Joined:
    Nov 10, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Toronto
    I have used cPanel for about the last six months. I recently found something strange in my "recent visitors" log which I will paste to see if someone can answer this for me. I actually know who is doing this... But at any rate the previous site was rife with XML documents and this person generates lots of paper XML documents. I can only assume that he was trying to parse XML documents rather than simply print what was posted on the site, guess he didn't know that the site does not now use XML documents! There are only 2 IPs doing this, one his home IP and the other his office IP - I know from the user agent string which computer at the site is doing it. So let me show you what I found. His excuse was that he was trying to access his email, but none of the 15 or 20 other users produce this when accessing thier emails. the only way that I could duplicate it was to actually type it into a browser. Here it is:


    /webmail (here he is accessing his webmail)

    Http Code: 301 Date: Oct 28 09:59:33 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -

    Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0E; AskTbGLSV5/5.8.0.12304)

    But then

    /cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

    Http Code: 404 Date: Oct 28 09:59:35 Http Version: HTTP/1.1 Size in Bytes: 938
    Referer: -

    Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

    Here we see him with WinHttpRequest.5 which Im pretty sure can be used as a scraper, and I think that it can be used as a server to server request thing for XML, not really overly familiar with it.

    Next he tries it from home, first looking at the portal page of the site, then later trying this thing again. Once again with WinHttpRequest.5 running.


    /wpimages/wpea1249c9.jpg

    Http Code: 200 Date: Nov 01 17:12:04 Http Version: HTTP/1.1 Size in Bytes: 1023512
    Referer: i took this out

    Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; AskTB5.6)

    /cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

    Http Code: 404 Date: Nov 02 00:36:41 Http Version: HTTP/1.1 Size in Bytes: 938
    Referer: -

    Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)


    Finally I'm am no longer amused and deny his IP. I have also noticed that when he tries the "/cPanel_magic_revision..." thing, the referer line is blank, leading me to believe that the "/cPanel_magic_revision..." has been typed into a browser..


    Host: 65.95.114.213
    /cPanel_magic_revision_1266572215/unprotected/cpanel/favicon.ico

    Http Code: 403 Date: Nov 06 17:38:43 Http Version: HTTP/1.1 Size in Bytes: 937
    Referer: -

    Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)


    I would greatly appreciate any insight anyone can offer on this!

    Thanks!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I don't see any problems here at first glance. What do you suspect he's doing wrong?
     
  3. VeeMacBee

    VeeMacBee Registered

    Joined:
    Nov 10, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Toronto
    It looks like he is trying to access the cPanel (which he does not have a password for) while running WinHttpRequest.5 which can be used as a webscraper(?) or to place or remove XML from one server to another(?). Im not sure which is why I asked. Don't care if I'm wrong, but I can't figure it out since I only see it from the one user (who tantrums a lot).
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    He has webmail access though, right? That would explain the call to the favicon I would think.
     
Loading...

Share This Page