Is It A Hacking Attempt.. Request Of Wierd Files Along With Unwanted SSL Handshake
Mar 30, 2009
I see following errors in my server ie. httpd error logs:
Code:
[Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 79.132.204.192) (OpenSSL library error follows)
[Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 60.63.241.18) (OpenSSL library error follows)
[Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]
[Mon Mar 30 07:23:56 2009] [error] [client 114.224.169.0] File does not exist: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bFT/SX00/VtJVht/D1XvJBgHP/5lll.gif
[Mon Mar 30 08:46:42 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting
In last you can see that MySQL reached maximum allowed client ..and it crashed
Also, at regular intervals I see such requests:
/var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bF/SX00/VtJVht/D1XvJBgHP/5lll.gif
Also I see SSL handshake failure notices while I do not have any SSL cert or SSL running site on this server.
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url] [url] [url] [url] [url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
I have worked with mod_rewrite for years and never encountered this problem. I am converting html pages to a single php file and it works perfectly. I used htaccess the rewrite the urls to appear the same so that no links would be broken or lose SEO value.
The only problem is that my friend who also helped build the sites added different directories and within those directories are index.htm files that serve as a home page for the separate directory. Like /info/index.htm and /help/index.htm within the root directory. The problem is that for some reason my mod_rewrite directs to the main index.htm rewrite even if I include the whole path to the file. In htaccess I have this so far:
RewriteEngine on
RewriteRule index.htm$ index.php [L] RewriteRule servers.htm$ index.php?action=servers [L] RewriteRule movies.htm$ index.php?action=movies [L] However there is a directory named "info" and inside that directory it has an index.htm file and it seems to conflict with my first mod_rewrite. I tried using:
RewriteRule /info/index.htm$ index.php?action=info [L] and used other methods but none seem to work any ideas?
I have a 6GB backup file created with another Plesk Backup Manager, now I trying to upload this backup file to my Plesk Backup Manager but after upload 3% I am getting "413 Request Entity Too Large" error, I tried with disable NGINX but still getting this error.
how can I resolve this error or is their any other way to upload my file on backup manager?
I see that Backup Manager have a file size restriction of 2GB how can I increase this?
I have multiple demo websites under single domain. and in each folder default page is as index.html
few days back i have observed a blank space on each index.html. when i check the code then i have found an auto generated code just after the body tag in index.html. the code is as follows
<div style="visibility:hidden"><iframe src="[url]
Also I am getting Question marks (?) in some blank spaces in HTML preview.
I have removed it but it again appears after some time. I have contacted to server support but they said that this is SQL Injection attack but there is no database connectivity involved in any of my websites.
I have a 777 cmod folder open. It needed to be writable so that legitimate users can upload their picture. However, i do not want people to upload .php or .php.pjepg etc to the server.
There are times that they do not use the form in my site to upload the php file. How can they do that? via perl command? And how to prevent such thing from happending?
Yesterday i have upgraded PHP 4.4.6 to 5.x ,then checked all my scripts/pages and everything was fine.
Today i have upgraded MySQL 4 to 5 and recompiled PHP and scripts are working fine but all my Russian langauge pages are broken,i mean plain php pages ,not those that depends on scripts.
Its wierd,when i am opening them in Firefox they are opening with Win1251 encoding as supposed but when i am opening them in IE they are opening with KOI8 encoding and i have to manualy change teh encoding to Win1251 to view the pages. This has been confirmed by other users.
I've just been having a look through my logwatch e-mail, and have seen the following that I've not seen before:
Code: A total of 3 unidentified 'other' records logged GET http:/ /74.52.21.101/index.php2?goto=[url] HTTP/1.0 with response code(s) 2 404 responses GET http:/ /74.52.21.100/index.php2?goto=[url] HTTP/1.0 with response code(s) 2 404 responses GET http:/ /74.52.21.102/index.php2?goto=[url] HTTP/1.0 with response code(s) 2 404 responses NB. I've added a space in the URL to break the link.
what is happening here, as this looks to be something dodgy.
A client is running a server 2003 box with a couple of game servers. Unfortuantly im noticing that something isnt quite right with some of the pings on the server (at times). Went to ping localhost and look at these results.
C:Documents and SettingsAdministrator>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128 Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128 Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128 Reply from 127.0.0.1: bytes=32 time=-987ms TTL=128
Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = -987ms, Maximum = -987ms, Average = 1073740837ms
Our company currently has colo in NY, UK and Geneva and have recently started to rent some space in an Australian datacentre.
In each of our existing centres we have a /26 range of IP addresses assigned to us (62 usable IPs) and we requested the same for our Australian installation.
The colo company has email us today with our IP range allocation and they seem to have chosen to allocate us 12 seperate /29 ranges (6 usable IPs).
This seems really strange to me, is it normal practise? Why not just assign us one /26 as requested.
Also, our WatchGuard firewalls only accept one range in the configuration and then you add in all of the IP aliases seperatly. If I set a the IP range to bigger than the range we own (to cover all 12 seperate ranges we've been issued) would this cause problems for the people that own the other IPs in this large range?
I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.
Does this belong to anyone??? Nslookup/dig reveals nothing.
This is my /var/log/messages Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2 Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2 Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2 Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2 Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2 Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT
I have started seeing the following error in the Event Viewer every day:
"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
i did all of that , and when i restarted http it said : [root@host www]# service httpd restart Syntax error on line 51 of /usr/local/apache/conf/httpd.conf: Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration
so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message
Login Attempt Failed!
Also, I am unable to connect using Filezilla Client.
However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.
- I have cleared all the cookies and private data on my desktop. Still the problem persist.
- I changed to a different user on my desktop, but still could not login.
- I changed my desktop IP address but still I could not log in.
I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.
Please anyone with a solution should please advise me on what to do. Thanks in advance.
It is not convenient going to my colleagues desk to access my cPanel.
Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser ] - Suspicious directory The 'someuser' is a legitimate user on the server, an auto body website setup last October.
The content of the directory:
Quote:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh total 3.0K drwx------ 2 someuser someuser 1.0K May 16 17:54 ./ drwx------ 3 someuser someuser 1.0K May 16 17:54 ../ -rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm
I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.
We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".
We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.
Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be.
I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves.
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server
