The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hack attempt from within?

Discussion in 'General Discussion' started by jols, Apr 3, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I am seeing a bazillion of these log entires in - /usr/local/apache/logs/access_log

    Any idea what may be going on here?


    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Secure your server before it is too late. Did you check other log files, and directories such as /tmp, for other possible vulnerabilities?
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks, checking now.

    Now we are seeing a ton of these in the apache access log

    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137

    Any other advice?
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    After running rkhunter, I am seeing this:

    Port 2001: Scalper Rootkit [ Warning! (possible trojan port) ]

    False alarm perhaps?
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, yup. Looks like the Scalper note is a false alarm produced by PortSentry.
     
Loading...

Share This Page