The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server’s IP scanning website directory

Discussion in 'Security' started by littlebob, Feb 12, 2011.

  1. littlebob

    littlebob Member

    Joined:
    Dec 15, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I have someone using the server IP address to scanning one of the directory’s on one of my websites.

    The dedicated server has only 4 personal websites on it, When I look at the site logs that is being scanned I see the servers IP hitting the one site.
    In some cases over 2,000 times… He was scanning one folder for a number of days so I removed it but he keeps coming back.

    Below is a sample of the site log that is being scanned…

    MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:08 -0500] "GET /Support/08support/tea-pot/excru.jpg HTTP/1.0" 404 - "-" "-"
    MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:08 -0500] "GET /Support/08support/tea-pot/top-10.jpg HTTP/1.0" 404 - "-" "-"
    MY.SERVER.IP.ADDRESS - - [12/Feb/2011:20:09:09 -0500] "GET /Support/08support/tea-pot/top-12.jpg HTTP/1.0" 404 - "-" "-"

    One questions is it possible to stop this guy?
    The other question is how can he use my servers IP to connect to a site that is on the server.

    I am absolutely stupid when it comes to this stuff… so please forgive me if questions are dumb.

    Any help would appreciated

    Littlebob
     
  2. littlebob

    littlebob Member

    Joined:
    Dec 15, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Any help on this please.
     
  3. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    You can do one of the following:

    1- Deny his IP
    2- Enable "mod_userdir"

    Seems that he is using a program to scan for Vluns.
     
  4. littlebob

    littlebob Member

    Joined:
    Dec 15, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    >>> 1- Deny his IP
    >>> 2- Enable "mod_userdir"

    I'm sorry, but if I deny my servier IP Address, would that not lock everyone out.

    It is My Server's own IP address that is being used to attact a website on that server.

    Please any help with this... i am getting hit 2000 to 3000 times almost everday from this guy.

    Thank you
    Littlebob
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where is that snip of log taken from?
     
  6. littlebob

    littlebob Member

    Joined:
    Dec 15, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    It is from the website that is on the server at is being attacked. the hacker is using the server's IP/websites IP

    The server has the same IP as the website...

    Thank for any input on the matter

    Littlebob
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    From the website where exactly?

    Could this be the website's style looking for images that are not there?
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If it might be part of the site itself with the bad links providing this output for a style sheet like Infopro suggested, you could grep for it:

    Code:
    cd /home/username/public_html
    grep -R "Support/08support/tea-pot/excru.jpg" ./*
    To see if you can find any code referencing that image path. You might even shorten the search path to excru.jpg instead.
     
  9. littlebob

    littlebob Member

    Joined:
    Dec 15, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thank you… but the first thing I did was to delete the directory Support and all its content.

    When he first came he was scanning /Support/ sometimes 1,000 - 2,000 time.
    I removed the folder... and pointed it to a 404 page... that has not stopped him.
    I removed the 404 page so it shows only 404 and no page... that has not stopped him.
    On Fed. 12th he hit the server 1785 times in about 5 minutes... using the server's IP.

    I asked the security person Andy at ServerTune he had no idea and suggested I come here for the answer.

    I really would like to know just how can someone use you own IP to scan the folders on your server.
    I see this a lot with IP's from Germany /proxies… these can be blocked by IP.

    But what to do when it is your own IP.
    For no reason Yesterday and today he has no been on the site.

    Thanks for any help.
     
    #9 littlebob, Feb 14, 2011
    Last edited: Feb 14, 2011
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you performed a grep to see if that user's code is calling this and causing the issue as I just suggested? Removing the folder doesn't mean a part of script isn't calling this from the account itself and causing the connection as Infopro suggested and I provided advise on how to find by running that grep. It is possible that isn't what is happening, but if you haven't checked for any coding on that account that might be calling it, you cannot rule it out.

    As for the server's own IP being used, IP spoofing can happen, so if someone wanted to hide their IP and spoof it as the server's IP, it can happen.
     
Loading...
Similar Threads - Server’s scanning website
  1. keat63
    Replies:
    4
    Views:
    130
  2. Mr_Kings
    Replies:
    5
    Views:
    657
  3. frigid
    Replies:
    12
    Views:
    757

Share This Page