Skip to main content

Suspicious entry in access log

walt
Hello, I found the lines below in my access logs. I can't see these files and folders from my file manager, yet the http status codes for these accesses is 200. The strange thing is my-web-site is the referring site, and the agent could be my own browser, Firefox. However, the request originates from Bangladesh and I am in Houston. Sounds like a stupid question, but is this something I should be concerned about? I have a shared hosting account.
103.242.217.102 - - [19/Oct/2015:11:38:23 -0500] "GET /cpanel HTTP/1.1" 200 8994 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" 103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/contentbox.jpg HTTP/1.1" 200 8846 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" 103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/headerbg.jpg HTTP/1.1" 200 9366 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" 103.242.217.102 - - [19/Oct/2015:11:38:25 -0500] "GET /img-sys/bg.jpg HTTP/1.1" 200 508 "http://my-web-site.com/cpanel" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"

[~]# grep '' /etc/redhat-release /usr/local/cpanel/version /var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql -V grep: /etc/redhat-release: No such file or directory /usr/local/cpanel/version:11.48.4.7 /var/cpanel/envtype:standard grep: /etc/cpupdate.conf: No such file or directory -jailshell: httpd: command not found PHP 5.4.45 (cli) (built: Oct 5 2015 15:35:12) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies with the ionCube PHP Loader v4.7.4, Copyright (c) 2002-2014, by ionCube Ltd., and with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies mysql Ver 14.14 Distrib 5.5.42-37.1, for Linux (x86_64) using readline 5.1

Comments

5 comments

Date Votes
  • madmanmachines
    Hi, You are obtaining this from '/usr/local/apache/logs/access_log'. This logs requests to the server hostname, IP, or domains that resolve to the server, but have no vhost. If you take your server IP, and add the URI's above, you'll see these are cPanel files. Your domain logs are located at '/usr/local/apache/domlogs/'. Thanks,
    0
  • walt
    Apologies, I have had this account for years, and am just now trying to understand it and manage it better. My top most access in file manager is /home2/myusername/. The logs above were in the folder /home2/myusername/logs . I did try going to the resources listed in the log, for example: my-site.com/img-sys/contentbox.jpg and I do see the images that appear to be parts of a cPanel page. I'm wondering why they are accessible by just appending the URI to my web address, when I cannot even see these resources listed in my file manager. Also I appear to have no control on the accessibility of these resources from outside. For example mod_rewrite rules in the .htaccess file* don't seem to have any effect:
    RewriteRule ^(.*)cpanel(.*)$ - [F,L] RewriteRule ^(.*)img-sys(.*)$ - [F,L]
    For now I have banned the IP address, but it doesn't seem like a good enough solution. What else might be accessible from outside, that I do not see listed in file manager? How can I trust my site? Apologies for the ramble. *The .htaccess file was in the public directory, I haven't tried modifying the htaccess in the home directory for fear I might break something.
    0
  • cPanelMichael
    Hello :) It's important to keep in mind that you have limited control over the Apache configuration because you do not have root access to this server. You can report this issue to your web hosting provider if it's behavior you want them to help you to avoid. Thank you.
    0
  • walt
    Hello, thanks for your input. I was hoping for a definite answer, for example: "What you are experiencing is not normal/ is a security risk/is ok because... ". best support I was able to get from my provider, was: "What happens when you go to address:
    0
  • cPanelMichael
    The information in the logs does not indicate a security risk. The access attempts are not on sensitive files, but you can report the issue to your hosting provider if you are concerned about the security of the server. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post