The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is this a hacker ?

Discussion in 'General Discussion' started by gordypordy, Feb 1, 2006.

  1. gordypordy

    gordypordy Active Member

    Joined:
    Jan 6, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Hi,

    My server has been showing high loads at various times over the past few days.
    I checked my logs, and found some strange information. I'm not sure if this is a hacking attempt, or if they in fact have gained access, or whether somebody is using a script to try and gain access.

    This is a snapshot taken from my ACCESS_LOG file:
    ####################

    218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    ##################
    This is only a PART of it as the post would not allow the full amount!

    This type of stuff has been appearing frequently over the last couple of weeks. The problem is, it is from a variety of different IP addresses. I don;t know if this is some type of DDOS attack, a hacker using a proxy or what.

    Anybody any suggestions ?
     
  2. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
  3. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    You should make use of your Mod_Sec and apply some 'GET" rules.
     
  4. gordypordy

    gordypordy Active Member

    Joined:
    Jan 6, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    0
    Hi,

    Okay I ran chkrootkit and it came up with the following:

    Checking `bindshell'... INFECTED (PORTS: 465)


    I'm not too hot on this subject, so how would I go about treating this?

    I have AFP installed on ther server, and I don't think 465 is a common port so how it got infected is a mystery. But the problem is fixing it, how would I go about that?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's a false-positive. Port 465 is used for ssmtp (SMTP over SSL).
     
Loading...

Share This Page