I have a client with a shared server. I think it has been compromised in some way. Bandwidth is currently running about 600% above normal and there are thousands of entries in the log such as
74.129.2.100 - - [07/Jan/2007:09:05:37 -0500] "GET http://e14.member.ukl.yahoo.com/con...s/index.php&.src=sbs&login=lock-up&passwd=sex HTTP/1.0" 404 10322 "-" "-"
66.67.160.145 - - [07/Jan/2007:09:05:39 -0500] "GET http://n31.login.scd.yahoo.com/conf...u&new=1&passwd=123456&.done=&login=fire__1999 HTTP/1.0" 404 10322 "-" "-"
aw stats report Pages-URL - the top site is http://www.yahoo.com/
Links from an external page reports the list for the top few as:
- http://www.nsosoft.com/gossip/ 1731 1731
- http://members.princessblueyez.com 806 806
- http://www.cashsoldier.com/VerifyerLevel.php 394 394
- http://iask.biz 231 231
- http://sedoparking.com/showparking.php4 77 77
- http://amateur-sexygirls.com 57 57
- http://members09.fm-teens.com 26 26
- http://realhomeporn.org 20 20
- http://www.iask.biz 16 16
Their server is not running any firewall that I am aware of (I don't actually look after their hosting and they have asked me for my thoughts)
I think there is a compromise maybe of their server.
I have in the meantime used the .htaccess file to ban the domains above as follows, I dont think that is having any effect.
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} nsosoft\.com [NC,OR]
etc
RewriteRule .* - [F]
I would appreciate knowledgeable comments/solutions please
thanks
Peter
74.129.2.100 - - [07/Jan/2007:09:05:37 -0500] "GET http://e14.member.ukl.yahoo.com/con...s/index.php&.src=sbs&login=lock-up&passwd=sex HTTP/1.0" 404 10322 "-" "-"
66.67.160.145 - - [07/Jan/2007:09:05:39 -0500] "GET http://n31.login.scd.yahoo.com/conf...u&new=1&passwd=123456&.done=&login=fire__1999 HTTP/1.0" 404 10322 "-" "-"
aw stats report Pages-URL - the top site is http://www.yahoo.com/
Links from an external page reports the list for the top few as:
- http://www.nsosoft.com/gossip/ 1731 1731
- http://members.princessblueyez.com 806 806
- http://www.cashsoldier.com/VerifyerLevel.php 394 394
- http://iask.biz 231 231
- http://sedoparking.com/showparking.php4 77 77
- http://amateur-sexygirls.com 57 57
- http://members09.fm-teens.com 26 26
- http://realhomeporn.org 20 20
- http://www.iask.biz 16 16
Their server is not running any firewall that I am aware of (I don't actually look after their hosting and they have asked me for my thoughts)
I think there is a compromise maybe of their server.
I have in the meantime used the .htaccess file to ban the domains above as follows, I dont think that is having any effect.
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} nsosoft\.com [NC,OR]
etc
RewriteRule .* - [F]
I would appreciate knowledgeable comments/solutions please
thanks
Peter
