Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is this a hacker ?

Discussion in 'General Discussion' started by gordypordy, Feb 1, 2006.

  1. gordypordy

    gordypordy Active Member

    Joined:
    Jan 6, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    156
    Hi,

    My server has been showing high loads at various times over the past few days.
    I checked my logs, and found some strange information. I'm not sure if this is a hacking attempt, or if they in fact have gained access, or whether somebody is using a script to try and gain access.

    This is a snapshot taken from my ACCESS_LOG file:
    ####################

    218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:47 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:48 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:49 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:50 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:51 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:52 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 137
    218.232.96.150 - - [31/Jan/2006:18:47:53 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 137
    ##################
    This is only a PART of it as the post would not allow the full amount!

    This type of stuff has been appearing frequently over the last couple of weeks. The problem is, it is from a variety of different IP addresses. I don;t know if this is some type of DDOS attack, a hacker using a proxy or what.

    Anybody any suggestions ?
     
  2. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    166
  3. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    156
    You should make use of your Mod_Sec and apply some 'GET" rules.
     
  4. gordypordy

    gordypordy Active Member

    Joined:
    Jan 6, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    156
    Hi,

    Okay I ran chkrootkit and it came up with the following:

    Checking `bindshell'... INFECTED (PORTS: 465)


    I'm not too hot on this subject, so how would I go about treating this?

    I have AFP installed on ther server, and I don't think 465 is a common port so how it got infected is a mystery. But the problem is fixing it, how would I go about that?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It's a false-positive. Port 465 is used for ssmtp (SMTP over SSL).
     
Loading...
Similar Threads - hacker
  1. malioxha
    Replies:
    3
    Views:
    940

Share This Page