Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: jameswilson on November 08, 2007, 01:05:04 AM

Title: possibly compromised and looking for advice
Post by: jameswilson on November 08, 2007, 01:05:04 AM

On checking my awstats i see that i have some authenticated logins from user names i dont know, in fact there should be no authenticated logins so i started looking

i found this in an error log various bits removed for now

Quote

[Wed Nov 07 23:25:21 2007] [error] [client 127.0.0.1] Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE [USER NAME HERE]*/ at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 274, <LOGFILE> line 1., referer: https://www.domianname.co.uk/server-manager/cgi-bin/viewlogfiles

ill keep looking but do i need to worry and what do i need to do to stop it

form a worried James


ps i have various access from the above user and previous different user names in the months before but they are just http GET and a few POST whatever that means

Title: Re: possibly compromised and looking for advice
Post by: mmccarn on November 08, 2007, 12:40:50 PM

send an email to 'security at contribs dot org' asking the same question.

Title: Re: possibly compromised and looking for advice
Post by: jameswilson on November 08, 2007, 05:37:30 PM

Quote from: mmccarn on November 08, 2007, 12:40:50 PM

send an email to 'security at contribs dot org' asking the same question.

Ok will do many thanks