Topic: hacking attempt or something else

[forumuser7]

Hi,

I am posting part of my SME 7pre1 server's  httpd error log files bellow. I've  replaced the real IPs...

Can anyone tell me if this is actually a hacking attempt or if this is something else?
(It looks like a script searching for phpMyAdmin )
Is there any known scripts out there searching for SME's or other exploits?

Do I need to take some extra mesures to protect SME server/gateway?
Please advise!

Thank you!
-------------------------------------------------------------------------

[Tue Jan 10 10:12:51 2006] [error] [client 200.200.200.200] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/awstats
[Tue Jan 10 10:12:52 2006] [error] [client 200.200.200.200] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/awstats.pl
[Tue Jan 10 10:12:52 2006] [error] [client 200.200.200.200] File does not exist: /home/e-smith/files/ibays/Primary/html/cgi
[Tue Jan 10 10:12:53 2006] [error] [client 200.200.200.200] File does not exist: /home/e-smith/files/ibays/Primary/html/awstats
[Tue Jan 10 10:12:54 2006] [error] [client 200.200.200.200] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/stats
[Tue Jan 10 10:12:54 2006] [error] [client 200.200.200.200] File does not exist: /home/e-smith/files/ibays/Primary/html/stats
[Tue Jan 10 10:12:55 2006] [error] [client 200.200.200.200] File does not exist: /home/e-smith/files/ibays/Primary/html/awstats.pl
[Tue Jan 10 10:12:55 2006] [error] [client 200.200.200.200] File does not exist: /home/e-smith/files/ibays/Primary/html/cgi

[Tue Jan 10 15:58:25 2006] [error] [client 100.100.100.100] File does not exist: /home/e-smith/files/ibays/Primary/html/awstats
[Tue Jan 10 15:58:26 2006] [error] [client 100.100.100.100] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/awstats.pl
[Tue Jan 10 15:58:27 2006] [error] [client 100.100.100.100] script not found or unable to stat: /home/e-smith/files/ibays/Primary/cgi-bin/awstats
[client 100.100.100.100] script '/home/e-smith/files/ibays/Primary/html/xmlrpc.php' not found or unable to stat
[Tue Jan 10 15:58:37 2006] [error] [client 100.100.100.100] File does not exist: /home/e-smith/files/ibays/Primary/html/blog
[Tue Jan 10 15:58:39 2006] [error] [client 100.100.100.100] File does not exist: /home/e-smith/files/ibays/Primary/html/blog
[Tue Jan 10 15:58:44 2006] [error] [client 100.100.100.100] File does not exist: /home/e-smith/files/ibays/Primary/html/blogs

[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] access to /opt/phpmyadmin/main.php failed, reason: SSL connection required
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/PMA
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/mysql
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/admin
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/db
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/dbadmin
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/web
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/admin
[Tue Jan 10 18:02:52 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/admin
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/admin
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/mysql-admin
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpmyadmin2
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/mysqladmin
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/mysql-admin
[client 222.222.222.222] script '/home/e-smith/files/ibays/Primary/html/main.php' not found or unable to stat
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.6
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.4
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.1
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.2.3
[Tue Jan 10 18:02:56 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.2.6
[Tue Jan 10 18:02:56 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/myadmin

[Tue Jan 10 19:34:15 2006] [notice] caught SIGTERM, shutting down
[Tue Jan 10 19:24:14 2006] [warn] RSA server certificate CommonName (CN) hostname.domain.com' does NOT match server name!?
[Tue Jan 10 19:24:14 2006] [notice] Digest: generating secret for digest authentication ...
[Tue Jan 10 19:24:14 2006] [notice] Digest: done
[Tue Jan 10 19:24:18 2006] [warn] RSA server certificate CommonName (CN) hostname.domain.com' does NOT match server name!?
[Tue Jan 10 19:24:18 2006] [notice] Apache configured -- resuming normal operations
--------------------------------------------------------------------------

[jfarschman]

Yes,

  It looks like something was probing for phpmyadmin on your server.  I say thing because it all happened very quickly.  My guess is that it knows these version a vlunerable...  They are fishing for vulnerabilities.  

  More than likely your version is not listed... and also secured by a password.  Right?

Code: [Select]


[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.6
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.4
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.5.1
[Tue Jan 10 18:02:53 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.2.3
[Tue Jan 10 18:02:56 2006] [error] [client 222.222.222.222] File does not exist: /home/e-smith/files/ibays/Primary/html/phpMyAdmin-2.2.6


[forumuser7]

Thank You jfarschman!

Yes, it seems that this is a script probing for vlunerable versions of phpmyadmin..
Even if phpMyAdmin is secured by password, don't you think that it is better
be uninstalled as brute force attack are still possible?

What about the first part of the log file where the script is probing awstat?
Any potential risks?

Thank you again for the comment!

[jfarschman]

Hey man!

  I'm not a security expert.  But my guess is if somebody is probing for it then there has to be a version of it that's not secure.

  Sure you can uninstall things... and you should uninstall... or refrain from installing them in the first place unless you need them.  But if you need them, keep them and get a good password.

  One of the coolest things about the SME7 is the ability to enforce strong passwords.  If you have a strong password the odds of you getting hacked go down considerably.  Most brute force attacker do the attack hoping that can get luck in a short amount of time.  If they are still trying to brute force your machine after a day, they will probably give up and work on another machine.

[jfarschman]

Hey man!

  I'm not a security expert.  But my guess is if somebody is probing for it then there has to be a version of it that's not secure.

  Sure you can uninstall things... and you should uninstall... or refrain from installing them in the first place unless you need them.  But if you need them, keep them and get a good password.

  One of the coolest things about the SME7 is the ability to enforce strong passwords.  If you have a strong password the odds of you getting hacked go down considerably.  Most brute force attacker do the attack hoping that can get luck in a short amount of time.  If they are still trying to brute force your machine after a day, they will probably give up and work on another machine.

[forumuser7]

Thank You Jay,
your oppinion is valuable for me!


Thank you for your comments!