Topic: server hacked ?

[craigt]

Good morning.

My error log had the following entries this morning.

[Sat Nov 22 05:42:15 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php5
[Sat Nov 22 05:42:16 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php-cgi
[Sat Nov 22 05:42:17 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php.cgi
[Sat Nov 22 05:42:18 2014] [error] [client 222.216.28.248] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php4
[Sat Nov 22 13:11:24 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/gege
[Sat Nov 22 13:11:25 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/phpMyAdmin
[Sat Nov 22 13:11:26 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/pma
[Sat Nov 22 13:11:27 2014] [error] [client 189.171.48.1] File does not exist: C:/usr/www/steepusa/myadmin
[Sat Nov 22 22:55:20 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/bsbs
[Sat Nov 22 22:55:21 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/phpMyAdmin
[Sat Nov 22 22:55:22 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/pma
[Sat Nov 22 22:55:23 2014] [error] [client 1.2.172.71] File does not exist: C:/usr/www/steepusa/myadmin
[Sun Nov 23 00:56:40 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/ntnt
[Sun Nov 23 00:56:41 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/phpMyAdmin
[Sun Nov 23 00:56:42 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/pma
[Sun Nov 23 00:56:43 2014] [error] [client 218.164.97.122] File does not exist: C:/usr/www/steepusa/myadmin
[Sun Nov 23 06:48:05 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php.exe
[Sun Nov 23 06:48:06 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php5.exe
[Sun Nov 23 06:48:06 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php-cgi.exe
[Sun Nov 23 06:48:07 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/cgi.exe
[Sun Nov 23 06:48:07 2014] [error] [client 66.135.34.113] script not found or unable to stat: C:/usr/www/steepusa/cgi-bin/php4.exe

My access log had the following entries.

1.2.172.71 - - [22/Nov/2014:22:55:20 -0500] "GET /bsbs/bsb/bs.php HTTP/1.1" 404 318
1.2.172.71 - - [22/Nov/2014:22:55:21 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 331
1.2.172.71 - - [22/Nov/2014:22:55:22 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 324
1.2.172.71 - - [22/Nov/2014:22:55:23 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 328
218.164.97.122 - - [23/Nov/2014:00:56:40 -0500] "GET /ntnt/ntn/nt.php HTTP/1.1" 404 318
218.164.97.122 - - [23/Nov/2014:00:56:41 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 331
218.164.97.122 - - [23/Nov/2014:00:56:42 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 404 324
218.164.97.122 - - [23/Nov/2014:00:56:43 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 328
212.83.138.153 - - [23/Nov/2014:02:04:26 -0500] "GET / HTTP/1.1" 200 15675
157.55.39.6 - - [23/Nov/2014:02:56:37 -0500] "GET /robots.txt HTTP/1.1" 200 430
157.55.39.5 - - [23/Nov/2014:02:56:58 -0500] "GET / HTTP/1.1" 200 2802
104.192.0.19 - - [23/Nov/2014:06:26:10 -0500] "GET / HTTP/1.0" 200 15678
66.135.34.113 - - [23/Nov/2014:06:48:05 -0500] "GET //cgi-bin/php.exe HTTP/1.1" 404 263
66.135.34.113 - - [23/Nov/2014:06:48:06 -0500] "GET //cgi-bin/php5.exe HTTP/1.1" 404 263
66.135.34.113 - - [23/Nov/2014:06:48:06 -0500] "GET //cgi-bin/php-cgi.exe HTTP/1.1" 404 264
66.135.34.113 - - [23/Nov/2014:06:48:07 -0500] "GET //cgi-bin/cgi.exe HTTP/1.1" 404 262
66.135.34.113 - - [23/Nov/2014:06:48:07 -0500] "GET //cgi-bin/php4.exe HTTP/1.1" 404 264
104.236.27.63 - - [23/Nov/2014:07:03:16 -0500] "GET /parts/brief.html HTTP/1.1" 200 2166
178.62.214.203 - - [23/Nov/2014:07:03:30 -0500] "GET /shom3ifrm.html HTTP/1.1" 200 326
104.236.27.69 - - [23/Nov/2014:07:03:42 -0500] "GET /shom4.html HTTP/1.1" 200 484
198.211.117.78 - - [23/Nov/2014:07:03:52 -0500] "GET /m1demo/m1.htm HTTP/1.1" 200 587
162.243.1.48 - - [23/Nov/2014:07:03:54 -0500] "GET /parts/m3.html HTTP/1.1" 200 1888
198.199.68.18 - - [23/Nov/2014:07:04:15 -0500] "GET /shom2ifrm.html HTTP/1.1" 200 325
104.131.146.120 - - [23/Nov/2014:07:04:16 -0500] "GET /parts/acks.html HTTP/1.1" 200 2004
95.85.39.206 - - [23/Nov/2014:07:04:30 -0500] "GET /parts/m1.html HTTP/1.1" 200 2102
128.199.232.11 - - [23/Nov/2014:07:05:29 -0500] "GET /docs/scdoce.doc HTTP/1.1" 200 16202
178.62.219.89 - - [23/Nov/2014:07:05:39 -0500] "GET /parts/potential.html HTTP/1.1" 200 1095
104.131.135.7 - - [23/Nov/2014:07:05:39 -0500] "GET /parts/features.html HTTP/1.1" 200 1710
104.236.27.65 - - [23/Nov/2014:07:05:40 -0500] "GET /parts/addedvalue.html HTTP/1.1" 200 988
162.243.164.227 - - [23/Nov/2014:07:05:40 -0500] "GET /parts/roi.html HTTP/1.1" 200 1253
104.236.27.68 - - [23/Nov/2014:07:06:04 -0500] "GET /parts/di.html HTTP/1.1" 200 638
188.226.169.215 - - [23/Nov/2014:07:06:05 -0500] "GET /parts/priceom.html HTTP/1.1" 200 572
178.62.158.69 - - [23/Nov/2014:07:06:06 -0500] "GET /m3demo/m3.htm HTTP/1.1" 200 373
192.241.248.155 - - [23/Nov/2014:07:06:07 -0500] "GET /parts/m2.html HTTP/1.1" 200 1768
162.243.226.174 - - [23/Nov/2014:07:06:27 -0500] "GET /shodhtml2.html HTTP/1.1" 200 332
178.62.99.54 - - [23/Nov/2014:07:06:28 -0500] "GET /parts/company.html HTTP/1.1" 200 1130
128.199.154.245 - - [23/Nov/2014:07:06:29 -0500] "GET /parts/idea.html HTTP/1.1" 200 3510
178.62.152.120 - - [23/Nov/2014:07:06:39 -0500] "GET /sge.html HTTP/1.1" 200 258
104.131.146.120 - - [23/Nov/2014:07:08:16 -0500] "GET /m2demo/m2.htm HTTP/1.1" 200 373
162.243.1.48 - - [23/Nov/2014:07:08:28 -0500] "GET /parts/ii.html HTTP/1.1" 200 1004
125.64.35.67 - - [23/Nov/2014:07:54:10 -0500] "GET http://6.url.cn/zc/chs/img/body.png HTTP/1.1" 404 259

My static IP starts with 72. I think I'm being hacked. These IPs are from all over the globe. Looks like they are probing my server and executing parts of the website that this server hosts. These people don't have much to do.

Would someone please comment on what they see here, what could happen, and what I should do to prevent any destructive behavior. The application the server hosts is simply an idea of my own design and development, not hardly of any interest to a cracker I would think.

I'm on Windows 7 platform using Apache/2.0.64 (Win32,) mod_perl/2.0.3, and Perl/v5.8.3. I work with the firewall down because my application does not seem to be visible to the WWW with it up (probably my understanding). I run MSE all the time and MalwareBytes regularly.

Thanks.

[glsmith]

Doubtful.

These look like scans for vulnerabilities/horrible configs and that the ones that 404 means there is not a problem on any one of those. I'm going to assume all the 200s are actually legitimate requests to resources on your server like these;

104.236.27.63 - - [23/Nov/2014:07:03:16 -0500] "GET /parts/brief.html HTTP/1.1" 200 2166
178.62.214.203 - - [23/Nov/2014:07:03:30 -0500] "GET /shom3ifrm.html HTTP/1.1" 200 326
104.236.27.69 - - [23/Nov/2014:07:03:42 -0500] "GET /shom4.html HTTP/1.1" 200 484
198.211.117.78 - - [23/Nov/2014:07:03:52 -0500] "GET /m1demo/m1.htm HTTP/1.1" 200 587

[craigt]

Thanks for the reply glsmith. I think I need to study the firewall and Apache server I use to try to restrict access a little better.

I've been focused on an app and website doing design, development, and testing, until now. I'm at the next step, and here the firewall and Apache configuration become more important. And I must admit, I've had some malware problems as I've been doing this.

I've had my firewall down because I lose WWW visibility when its up. And my Apache installation was pretty generic with a few exceptions like mod_perl. I need to go deeper in these areas.