The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hack attempt - I wish someone could tell me how to stop this.

Discussion in 'General Discussion' started by jols, Jul 26, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I see it all the time in the genral Apache logs. Obviously a hack attempt via some script run on the server to look for various vulnerable scripts. Problem is the attempts hit the server so fast and hard, it spikes the load to 20, 30 and beyond. I can only get in there to block the IP manually, AMAZINGLY BFD does not ever block these kinds of attempts!!!!

    Here's a VERY sample short from /usr/local/apache/logs/access_log of a attempt that momentarily drove up the load and killed some services on our server (AGAIN):

    217.160.227.75 - - [26/Jul/2006:04:43:46 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:55 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:57 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:43:59 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
    217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    install apache mod_evasive if its a DOS attack
     
  3. sitekeeper

    sitekeeper Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Troy, Mo
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I've heard that mod_evasive kills FrontPage server extensions. True?

    And I really don't think this is a DOS attack, it ACTS like one, but these appear to be bot-probes looking for vulnerable scripts.
     
  5. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    I have clients that use FP, nobody has reported any problems to me.
     
  6. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    get the user agent from the apache logs and if its not a browser ban it with mod_security.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Sounds like a good idea, but how?

    These kinds of entries only seem to show up here - /usr/local/apache/logs/access_log

    ... and I'm not seeing user agent entries, only stuff like the following. Here's one all of seconds worth:

    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
    67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
     
  8. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod_evasive will stop that. And while there have been some reports of it messing with Frontpage Extensions, I have yet to experience something of that sort in the 3 years I ahve been using it.
    Also something to keep in mind, although it won't matter too much just yet... Microsoft is going to cease support for Frontpage Extensions, and there are several rumours going around right now that when Microsoft does, cPanel will too.

    In the meantime, for the first IP you posted (the 217 IP), mail the logs to abuse@schlund.de. For the second one (the 67 IP), abuse@ev1.net. I don't know about schlund.de, but Ev1 are very good about unplugging any server running exploit scanner bots against other servers.

    And I concure that you should check out Chirpy's Firewall and Login Detection plugin (ConfigServer Firewall). It'll be one of the better things you have installed on your server.
     
  9. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    if you look in /usr/local/apache/domlogs/domain.tld if you have extended logging on they will be in there, if you havent, set the logging in WHM > Basic cPanel/WHM setup
     
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We have this on two servers now, and as nice as it is, it does not stop these attacks.
     
  11. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hmmm, no such file as domain.tld

    In cPanel/WHM Apache Access Log Style is set to combined
    "combined - All information including referers, user agents, and requested files are logged."

    Still looking for a way to get this user agent info. Any other suggestions?
     
  12. dafut

    dafut Well-Known Member

    Joined:
    Dec 14, 2005
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
     
Loading...

Share This Page