Hack attempt - I wish someone could tell me how to stop this.

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
I see it all the time in the genral Apache logs. Obviously a hack attempt via some script run on the server to look for various vulnerable scripts. Problem is the attempts hit the server so fast and hard, it spikes the load to 20, 30 and beyond. I can only get in there to block the IP manually, AMAZINGLY BFD does not ever block these kinds of attempts!!!!

Here's a VERY sample short from /usr/local/apache/logs/access_log of a attempt that momentarily drove up the load and killed some services on our server (AGAIN):

217.160.227.75 - - [26/Jul/2006:04:43:46 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:47 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:48 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:49 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:50 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:51 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:52 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:53 -0500] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:55 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:57 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:43:59 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:01 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
217.160.227.75 - - [26/Jul/2006:04:44:02 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 -
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
nickp666 said:
install apache mod_evasive if its a DOS attack
I've heard that mod_evasive kills FrontPage server extensions. True?

And I really don't think this is a DOS attack, it ACTS like one, but these appear to be bot-probes looking for vulnerable scripts.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
nickp666 said:
get the user agent from the apache logs and if its not a browser ban it with mod_security.
Sounds like a good idea, but how?

These kinds of entries only seem to show up here - /usr/local/apache/logs/access_log

... and I'm not seeing user agent entries, only stuff like the following. Here's one all of seconds worth:

67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
 

NightStorm

Well-Known Member
Jul 28, 2003
286
4
168
cPanel Access Level
Root Administrator
Twitter
mod_evasive will stop that. And while there have been some reports of it messing with Frontpage Extensions, I have yet to experience something of that sort in the 3 years I ahve been using it.
Also something to keep in mind, although it won't matter too much just yet... Microsoft is going to cease support for Frontpage Extensions, and there are several rumours going around right now that when Microsoft does, cPanel will too.

In the meantime, for the first IP you posted (the 217 IP), mail the logs to [email protected]. For the second one (the 67 IP), [email protected]. I don't know about schlund.de, but Ev1 are very good about unplugging any server running exploit scanner bots against other servers.

And I concure that you should check out Chirpy's Firewall and Login Detection plugin (ConfigServer Firewall). It'll be one of the better things you have installed on your server.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
jols said:
Sounds like a good idea, but how?

These kinds of entries only seem to show up here - /usr/local/apache/logs/access_log

... and I'm not seeing user agent entries, only stuff like the following. Here's one all of seconds worth:

67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
67.15.68.12 - - [26/Jul/2006:07:19:20 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 -
if you look in /usr/local/apache/domlogs/domain.tld if you have extended logging on they will be in there, if you havent, set the logging in WHM > Basic cPanel/WHM setup
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
NightStorm said:
.... And I concure that you should check out Chirpy's Firewall and Login Detection plugin (ConfigServer Firewall). It'll be one of the better things you have installed on your server.
We have this on two servers now, and as nice as it is, it does not stop these attacks.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
nickp666 said:
if you look in /usr/local/apache/domlogs/domain.tld if you have extended logging on they will be in there, if you havent, set the logging in WHM > Basic cPanel/WHM setup
Hmmm, no such file as domain.tld

In cPanel/WHM Apache Access Log Style is set to combined
"combined - All information including referers, user agents, and requested files are logged."

Still looking for a way to get this user agent info. Any other suggestions?
 

dafut

Well-Known Member
Dec 14, 2005
74
0
156
jols said:
Hmmm, no such file as domain.tld
QUOTE]

domain.tld means domain, as in yahoo, .tld, as in .com. Which means replace the word "domain" with the different domains on your server and the .tld with their .TopLevelDomain extensions (.com, .net, .org, .us, .info, etcetera).

In SSH, you can do a "ls -l /usr/local/apache/domlogs/" and get a listing of "domlogs" or "domain logs" on your server.

For information about how to search or follow these logs, read up on grep and tail--both are command line applications that will help you work with the log files.