Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Hack attempt from within?

Discussion in 'General Discussion' started by jols, Apr 3, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    I am seeing a bazillion of these log entires in - /usr/local/apache/logs/access_log

    Any idea what may be going on here?


    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
    127.0.0.1 - - [03/Apr/2006:21:57:19 -0500] "GET http://www.ripper.com.ru:80//rippers/ HTTP/1.1" 404 -
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    Secure your server before it is too late. Did you check other log files, and directories such as /tmp, for other possible vulnerabilities?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Thanks, checking now.

    Now we are seeing a ton of these in the apache access log

    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137
    127.0.0.1 - - [03/Apr/2006:22:59:00 -0500] "GET http://xakepy.ru:80// HTTP/1.1" 200 137

    Any other advice?
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    After running rkhunter, I am seeing this:

    Port 2001: Scalper Rootkit [ Warning! (possible trojan port) ]

    False alarm perhaps?
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Okay, yup. Looks like the Scalper note is a false alarm produced by PortSentry.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice