Skip to main content

can anyone decipher this ?

Comments

12 comments

  • mtindor
    Does that really need to be deciphered? Somebody is using a vulnerability scanner to scan a site on your server for the existence of specific vulnerabilities. My guess is that the log is longer than that, and that you kept it short on purpose. Either way, it's a typical vulnerability scan. If a site is accessible via the internet, you can bet that it sees similar traffic often. And no, Romanians in particular are not out to get you. Nothing there would indicate that you have anything to worry about. Of course, that statement is only true if you have up to date operating system software, up to date cpanel, up to date web applications, and are using additional security practices [like modsecurity with a good ruleset]. Bottom line -- if you look in the logs for any website, you'll see similar types of scans. M
    ][Sat Dec 13 23:47:26 2014]
    [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:) [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:) [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin

    0
  • keat63
    WHM and Cpanel are configured to update automatically, so I guess it's up to date. However, I'm still learning. As for ModSecurity, I see some mention of it in WHM, but don't ask me what it all means.
    0
  • quizknows
    ] Bottom line -- if you look in the logs for any website, you'll see similar types of scans. M

    This. 100 times, this.
    0
  • cPanelMichael
    Hello :) A good place to start when attempting to ensure your server is using good security practices is the "Security Advisor" option in WHM: Security Advisor Thank you.
    0
  • keat63
    Security advisor fails me on: No symlink protection detected SSH password authentication is enabled. SSH direct root logins are permitted. And CSF gives me a score of 126/136
    0
  • keat63
    Not sure if you recall, but I had Mod_ruid 2 installed and was using suPHP, but my site stopped working inside a shell. I read somewhere that Mod_Ruid2 and suPHP don't work together, it's either one or the other, so i removed MOD_Ruid2. SymlinkRace Protection appears to require MOD_Ruid2, so I'm a little confused as to which are the best options to use.
    0
  • cPanelMichael
    There are alternative options listed as the documented referenced in my last post: Symlink Race Condition Protection Ideally, you should use CageFS or mod_ruid + jailshell, but the additional options are still more secure than no protections at all. Thank you.
    0
  • keat63
    I reinstalled Mod_Ruid last night. So PHP is now running DSO with Mod_Ruid and Disabled shell. This fixed the Symlink error.
    0
  • PCZero
    Isn't it even better to just not give shell access to ANY accounts? None of my accounts have shell enabled at all and I get this SymLink warning in Security Advisor. If I open up shell to all users, jailed the alert goes away. Seems to me jailed is less secure than no shell... Am I missing something?
    0
  • quizknows
    As far as in general, no shell or jailed shell are both decent options. If your customers don't need shell access then no shell is fine. However, as far as the symlink hacks go, the accounts shell access is irrelevant. It's all done using the site itself with php code once access is gained via a vulnerable plugin or compromised password.
    0
  • PCZero
    Thanks for the heads up. I was not following that line of thought from the description of the issue. I have rerun EA adding ruid and enable the protection in tweak. It took me for a loop shortly when doing so caused 500 errors on pages of all web sites on the server in question until I recalled seeing something about having to use dso. Once I switched that over all was well again and the sever gets 100% green lights in Security Advisor.
    0

Please sign in to leave a comment.