File Not Found Error (hacker?)

[chickens]

While reviewing my logs, I see a lot of File Not Found errors for pages that shouldn't exist, such as /upload.asp , /uploadfox.asp , etc, giving me the impression that someone is trying to hack my site. I was using Awstats to view this info, but it doesn't provide the IP address, only the referrer (which was not available).

Any ideas on how to see who is trying to view these non-existent pages?

Thanks.

[hotdog]

You can view the data in your raw logs.

Probably not a lot you can do as they are looking for a hole, formail is another you will probably see in your log files (formmail, formail, form_mail, form-mail, mail, ....) as well as cgi bin calls, and 99% will be behind proxies (IP changes each call)

My guess is they are looking for a security hole in a program with the word fox in it, phpbb is always being hit

Another nuisance in 404's is refferal spam, its when scripts creates bogus requests with a website address as UA, they are spamming error logs to get listed in search engines, way to avoid this, dont make your error logs (or any logs) public - password protect them, this includes any stat program

[chickens]

Thanks for the info.

Guess it's at least a good way to see what not to name my folders...

I don't see an option to password protect logs (in Cpanel), and as far as I can tell they are not in my Public folder...

[computergenius]

ON my custom 404s, it shows the referer.


I am quite concerned that I am getting a lot of 404s with a referer of
http://infiniti.websitewelcome.com:2086/scripts/srvmng

CS say:
It is the service management interface from WHM. I guess it was someone
from the support team. That service management page is only accessible
to the root user so its only us who use that page.

but in a separate email they say
If the page was accessed multiple times then it was not us. One time it
could have been the support team but not multiple times unless you had a
ticket or so.

SO - it can only be accessed by support, but it isn't support.

Someone is accessing many pages on my site, from a place where only support should be able to reach, but support say it is not them.

I assume that this person can see all passwords, etc.

I have been emailing now for 4 hours, and they haven't given me a satisfactory reason why the referer should be
http://infiniti.websitewelcome.com:2086/scripts/srvmng

Is there a reason? - the obvious thought is that someone has the root password...

[hotdog]

Do you get any pages after that with the same URL ? don't look at the webstats, they are crap, look at your raw logs for the real deal.

If you go to that link (you should unlink it as I'm sure many will try it, including search bots and email bots that pick over this forum), you are asked for the password, without the password you get the login screen - same page, so if the logs (raw not the uselss eyecandy stuff) don't show other pages after this then its more than likely someone just looking for a weak password (scriptkiddies), if you get heaps of the 404's then I hope you have a decnt password as it would more than likely be a brute force attack (a script that fires off dictionary passwords). If on the other hand you get pages after this (unless it's a framed page) then you need to have a serious word with support about blocking the intruder.
If the logs are fuzzy ie big gaps missing in the times etc more than likely you've been hacked and the tracks have been covered up, mind you if they were any good they wouldn't of left the 404's.

Golden rule, NEVER and I repeat, NEVER use dictionary words for passwords, nor numbers (even thou HG suggests it), ALWAYS use a combination of letter and numbers and if possible make it case senstive, things like h31pfu1 (helpful) is not a good password, is classed as a dictionary extension (using numbers instead of letters). If you are stuck for a password, run a word through md5 with a random string, ie:
$Md5_Prefix = "whats_your_favorite_COLOR";
$newpassword = md5($MD5_PREFIX.$word);
echo $newpassword;
now just pick a section of this result (should be combination of numbers and letters - 32 of them). don't use the prefix given, or the prefix name, use your own one and pick at least a section of 8 bits of the results.

Another tip, if you use mozilla or opera (anything with tabs) be sure to actually close the program, not just the tab if you leave your pc runing as the session/cookie can still remain active.

[computergenius]

Quote:

Originally Posted by hotdog

Do you get any pages after that with the same URL ? don't look at the webstats, they are crap, look at your raw logs for the real deal.

I can't read the raw logs, I have a CRC fault on the file. Sounds like someone is wiping their fingerprints.

Quote:

Originally Posted by hotdog

If you go to that link (you should unlink it as I'm sure many will try it, including search bots and email bots that pick over this forum), you are asked for the password, without the password you get the login screen - same page,

This is a page available only to Hostgator admin. I don't have the password. But someone obviously does...

Quote:

Originally Posted by hotdog

If you get heaps of the 404's then I hope you have a decnt password as it would more than likely be a brute force attack

Again, I suspect that you are missing the point - the password is not mine. I do not have access to it, nor do I have access to the area that it protects - not should anyone except Support.

Support tell me that only they have access to that area. I am getting lots of calls from that area. But support say that it is not them...

[computergenius]

I seem to be sending email after email to support, and they just don't seem to accept that there is a problem. Can ANYONE suggest how I can clarify the situation to them.

1) My site is being accessed by a URL which only support should have access to.

2) Support say that they are not doing anything.

The latest email:
Your site has no connection with the URL http://infiniti.websitewelcome.
com:2086/scripts/srvmng. Document root is completely diffrent than your
site. This URL is of WHM which can be only accessed by the root user on
the server.

I KNOW THAT. I have been saying that for the last 5 or 6 hours. Only support can access that URL. And they deny accessing it...

[computergenius]

Now I have the same issue on another domain on the same server - and guess what - the logs here ALSO have a CRC error, so I can't see them.

[hotdog]

Quote:

Originally Posted by computergenius

Again, I suspect that you are missing the point - the password is not mine. I do not have access to it, nor do I have access to the area that it protects - not should anyone except Support..

Sorry was late when I replied. The password tip was kinda for admin as well as I've seen hosts use a 'admin' password for multi users.
So really if you can't get into that section then that section shouldn't even show in your logs, so try set a trap, with admins help, set up a 302 redirect (htaccess) to a page where you collect all the information (ip, location, where from ...) you can have the info sent to you via email as it happens or saved somewhere. Should show a proxy but if doesn't is eay to track them down, if it does show a proxy then some dectitive work may be needed.

Just a thought admin, it wouldn't be one of the scripts/packages trying to do an auto update would it?

[LadyLarke]

If you are a reseller, you have WHM access. That's the area where you create new cpanel accounts for packages. So it's not an area *only* hostgator support has access to at all. You do also. Or anyone who guesses your account login info.

I think it's really easy to forget that not everyone understands how things work initially from both a customer support perspective and the person seeking support. Hostgator support may assume you know what you are talking about (lol I know that sounds funny). But that is almost always how I get confused or even frustrated and angry when I'm asking questions to do with support. THEY know what they mean. But I may not be 'getting' what the heck they are trying to say because a) I don't know the 'lingo' or b) they aren't explaining it to me like I'm a 5 year old instead of another tech guru, or c) they don't explain at all or simply repeat that it was fixed. Which in my mind is like shooting themselves in the foot. Had they explained then if a similar situation happened again I would probably know how to resolve it myself 'next time'.

So if you do have WHM access, then you yourself have access to this url you have mentioned. What support is saying is that anyone logged into the WHM will have access to that url.

Anyway, re your logs, if they have errors have Hostgator fix it. Or ask them to look at your logs for you.