can anyone decipher this ?
can anyone decipher this ?
[Sat Dec 13 23:47:26 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma
[Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin
[Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma
[Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin-
Does that really need to be deciphered? Somebody is using a vulnerability scanner to scan a site on your server for the existence of specific vulnerabilities. My guess is that the log is longer than that, and that you kept it short on purpose. Either way, it's a typical vulnerability scan. If a site is accessible via the internet, you can bet that it sees similar traffic often. And no, Romanians in particular are not out to get you. Nothing there would indicate that you have anything to worry about. Of course, that statement is only true if you have up to date operating system software, up to date cpanel, up to date web applications, and are using additional security practices [like modsecurity with a good ruleset]. Bottom line -- if you look in the logs for any website, you'll see similar types of scans. M ][Sat Dec 13 23:47:26 2014]
[error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:) [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:) [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin
0 -
WHM and Cpanel are configured to update automatically, so I guess it's up to date. However, I'm still learning. As for ModSecurity, I see some mention of it in WHM, but don't ask me what it all means. 0 -
] Bottom line -- if you look in the logs for any website, you'll see similar types of scans. M
This. 100 times, this.0 -
Hello :) A good place to start when attempting to ensure your server is using good security practices is the "Security Advisor" option in WHM: Security Advisor Thank you. 0 -
Security advisor fails me on: No symlink protection detected SSH password authentication is enabled. SSH direct root logins are permitted. And CSF gives me a score of 126/136 0 -
Please see: Symlink Race Condition Protection Also, this thread should be helpful: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening) Thank you. 0 -
Not sure if you recall, but I had Mod_ruid 2 installed and was using suPHP, but my site stopped working inside a shell. I read somewhere that Mod_Ruid2 and suPHP don't work together, it's either one or the other, so i removed MOD_Ruid2. SymlinkRace Protection appears to require MOD_Ruid2, so I'm a little confused as to which are the best options to use. 0 -
There are alternative options listed as the documented referenced in my last post: Symlink Race Condition Protection Ideally, you should use CageFS or mod_ruid + jailshell, but the additional options are still more secure than no protections at all. Thank you. 0 -
I reinstalled Mod_Ruid last night. So PHP is now running DSO with Mod_Ruid and Disabled shell. This fixed the Symlink error. 0 -
Isn't it even better to just not give shell access to ANY accounts? None of my accounts have shell enabled at all and I get this SymLink warning in Security Advisor. If I open up shell to all users, jailed the alert goes away. Seems to me jailed is less secure than no shell... Am I missing something? 0 -
As far as in general, no shell or jailed shell are both decent options. If your customers don't need shell access then no shell is fine. However, as far as the symlink hacks go, the accounts shell access is irrelevant. It's all done using the site itself with php code once access is gained via a vulnerable plugin or compromised password. 0 -
Thanks for the heads up. I was not following that line of thought from the description of the issue. I have rerun EA adding ruid and enable the protection in tweak. It took me for a loop shortly when doing so caused 500 errors on pages of all web sites on the server in question until I recalled seeing something about having to use dso. Once I switched that over all was well again and the sever gets 100% green lights in Security Advisor. 0
Please sign in to leave a comment.
Comments
12 comments