Hack attempt - I wish someone could tell me how to stop this.

jols · Jul 26, 2006

I see it all the time in the genral Apache logs. Obviously a hack attempt via some script run on the server to look for various vulnerable scripts. Problem is the attempts hit the server so fast and hard, it spikes the load to 20, 30 and beyond. I can only get in there to block the IP manually, AMAZINGLY BFD does not ever block these kinds of attempts!!!!

Here's a VERY sample short from /usr/local/apache/logs/access_log of a attempt that momentarily drove up the load and killed some services on our server (AGAIN):

217.160.227.75 - - [26/Jul/2006:04:43:46 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:55 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:57 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:59 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -

nickp666 · Jul 26, 2006

install apache mod_evasive if its a DOS attack

sitekeeper · Jul 26, 2006

I would install ConfigServer Firewall
Info: http://forums.cpanel.net/showthread.php?t=53511
Website and download: http://www.configserver.com/cp/csf.html

Will help for DOS too..

jols · Jul 26, 2006

nickp666 said:
install apache mod_evasive if its a DOS attack

I've heard that mod_evasive kills FrontPage server extensions. True?

And I really don't think this is a DOS attack, it ACTS like one, but these appear to be bot-probes looking for vulnerable scripts.

nickp666 · Jul 27, 2006

I have clients that use FP, nobody has reported any problems to me.

nickp666 · Jul 27, 2006

get the user agent from the apache logs and if its not a browser ban it with mod_security.

jols · Jul 27, 2006

nickp666 said:
get the user agent from the apache logs and if its not a browser ban it with mod_security.

Sounds like a good idea, but how?

These kinds of entries only seem to show up here - /usr/local/apache/logs/access_log

... and I'm not seeing user agent entries, only stuff like the following. Here's one all of seconds worth:

67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -

NightStorm · Jul 27, 2006

mod_evasive will stop that. And while there have been some reports of it messing with Frontpage Extensions, I have yet to experience something of that sort in the 3 years I ahve been using it.
Also something to keep in mind, although it won't matter too much just yet... Microsoft is going to cease support for Frontpage Extensions, and there are several rumours going around right now that when Microsoft does, cPanel will too.

In the meantime, for the first IP you posted (the 217 IP), mail the logs to [email protected]schlund.de. For the second one (the 67 IP), [email protected]. I don't know about schlund.de, but Ev1 are very good about unplugging any server running exploit scanner bots against other servers.

And I concure that you should check out Chirpy's Firewall and Login Detection plugin (ConfigServer Firewall). It'll be one of the better things you have installed on your server.

nickp666 · Jul 27, 2006

jols said:
Sounds like a good idea, but how?

These kinds of entries only seem to show up here - /usr/local/apache/logs/access_log

... and I'm not seeing user agent entries, only stuff like the following. Here's one all of seconds worth:

67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -

if you look in /usr/local/apache/domlogs/domain.tld if you have extended logging on they will be in there, if you havent, set the logging in WHM > Basic cPanel/WHM setup

jols · Sep 22, 2006

NightStorm said:
.... And I concure that you should check out Chirpy's Firewall and Login Detection plugin (ConfigServer Firewall). It'll be one of the better things you have installed on your server.

We have this on two servers now, and as nice as it is, it does not stop these attacks.

jols · Sep 22, 2006

nickp666 said:
if you look in /usr/local/apache/domlogs/domain.tld if you have extended logging on they will be in there, if you havent, set the logging in WHM > Basic cPanel/WHM setup

Hmmm, no such file as domain.tld

In cPanel/WHM Apache Access Log Style is set to combined
"combined - All information including referers, user agents, and requested files are logged."

Still looking for a way to get this user agent info. Any other suggestions?

dafut · Sep 23, 2006

jols said:
Hmmm, no such file as domain.tld
QUOTE]

domain.tld means domain, as in yahoo, .tld, as in .com. Which means replace the word "domain" with the different domains on your server and the .tld with their .TopLevelDomain extensions (.com, .net, .org, .us, .info, etcetera).

In SSH, you can do a "ls -l /usr/local/apache/domlogs/" and get a listing of "domlogs" or "domain logs" on your server.

For information about how to search or follow these logs, read up on grep and tail--both are command line applications that will help you work with the log files.

Thread starter	Similar threads	Forum	Replies	Date
D	Attempted hacker	Security	2	May 12, 2015
E	Constant hack attempts since the 16th of Feb	Security	7	Feb 21, 2015
R	utilizing unused ips as a means to block scripted or physical hacking attempts	Security	1	Dec 29, 2013
M	Is attempting to hack in to my CPanel illegal?	Security	5	Aug 15, 2013
L	talking about a hack attempt on my server	Security	8	Aug 12, 2013

Search

Search

Hack attempt - I wish someone could tell me how to stop this.

jols

Well-Known Member

nickp666

Well-Known Member

sitekeeper

Well-Known Member

jols

Well-Known Member

nickp666

Well-Known Member

nickp666

Well-Known Member

jols

Well-Known Member

NightStorm

Well-Known Member

nickp666

Well-Known Member

jols

Well-Known Member

jols

Well-Known Member

dafut

Well-Known Member