Server’s IP scanning website directory

littlebob

Member
Dec 15, 2007
10
0
51
I have someone using the server IP address to scanning one of the directory’s on one of my websites.

The dedicated server has only 4 personal websites on it, When I look at the site logs that is being scanned I see the servers IP hitting the one site.
In some cases over 2,000 times… He was scanning one folder for a number of days so I removed it but he keeps coming back.

Below is a sample of the site log that is being scanned…

MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:08 -0500] "GET /Support/08support/tea-pot/excru.jpg HTTP/1.0" 404 - "-" "-"
MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:08 -0500] "GET /Support/08support/tea-pot/top-10.jpg HTTP/1.0" 404 - "-" "-"
MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:09 -0500] "GET /Support/08support/tea-pot/top-12.jpg HTTP/1.0" 404 - "-" "-"

One questions is it possible to stop this guy?
The other question is how can he use my servers IP to connect to a site that is on the server.

I am absolutely stupid when it comes to this stuff… so please forgive me if questions are dumb.

Any help would appreciated

Littlebob
 

littlebob

Member
Dec 15, 2007
10
0
51
>>> 1- Deny his IP
>>> 2- Enable "mod_userdir"

I'm sorry, but if I deny my servier IP Address, would that not lock everyone out.

It is My Server's own IP address that is being used to attact a website on that server.

Please any help with this... i am getting hit 2000 to 3000 times almost everday from this guy.

Thank you
Littlebob
 

littlebob

Member
Dec 15, 2007
10
0
51
It is from the website that is on the server at is being attacked. the hacker is using the server's IP/websites IP

The server has the same IP as the website...

Thank for any input on the matter

Littlebob
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
If it might be part of the site itself with the bad links providing this output for a style sheet like Infopro suggested, you could grep for it:

Code:
cd /home/username/public_html
grep -R "Support/08support/tea-pot/excru.jpg" ./*
To see if you can find any code referencing that image path. You might even shorten the search path to excru.jpg instead.
 

littlebob

Member
Dec 15, 2007
10
0
51
Thank you… but the first thing I did was to delete the directory Support and all its content.

When he first came he was scanning /Support/ sometimes 1,000 - 2,000 time.
I removed the folder... and pointed it to a 404 page... that has not stopped him.
I removed the 404 page so it shows only 404 and no page... that has not stopped him.
On Fed. 12th he hit the server 1785 times in about 5 minutes... using the server's IP.

I asked the security person Andy at ServerTune he had no idea and suggested I come here for the answer.

I really would like to know just how can someone use you own IP to scan the folders on your server.
I see this a lot with IP's from Germany /proxies… these can be blocked by IP.

But what to do when it is your own IP.
For no reason Yesterday and today he has no been on the site.

Thanks for any help.
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Have you performed a grep to see if that user's code is calling this and causing the issue as I just suggested? Removing the folder doesn't mean a part of script isn't calling this from the account itself and causing the connection as Infopro suggested and I provided advise on how to find by running that grep. It is possible that isn't what is happening, but if you haven't checked for any coding on that account that might be calling it, you cannot rule it out.

As for the server's own IP being used, IP spoofing can happen, so if someone wanted to hide their IP and spoof it as the server's IP, it can happen.