This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

php5.cgi attacking?

2 posts / 0 new

Topic locked

Last post

#1 Mon, 10/20/2014 - 12:21

edwardsmarkf

php5.cgi attacking?

hello - i received a nasty-gram about my server hacking from a German server that provided me with the following information (below). in order to understand the German stuff, i was forced to watch several episodes of "Hogans Heroes".

the (supposed) offending programs were:

virtue-now.net/cgi-bin/php5.cgi bayern-polen.info/cgi-bin/php5.cgi

which neither domain name is on my server.

since the offending programs were php5.cgi, i assume this is virtualmin?

any suggestions?? thank you!

files sent to me:

199-231-184.26.txt

DETAILS ZU DEN ATTACKEN/STÖRUNGEN | DETAILS OF THE ATTACKS (letzten 60 Tage / max. 100 St.) | (last 60 days / max. 100 hits)

| IP-NUMBER: 199.231.184.26
| | HOSTNAME : comptonpeslonline.com

|

| TIMESTAMP | ATTACKS | Port | TARGET-HOST

|

| 2014-10-19T18:35:18+02:00 | backdoor scann | 80 | host11.checkdomain.de |

| 2014-10-18T23:40:55+02:00 | backdoor scann | 80 | host11a.checkdomain.de |

VORHERIGE SPERREN DER IP-NUMMER

| BANNED HISTORY OF THIS IP-NUMBER

199.231.184.26: this ip-number was never banned before

AUZUG AUS SERVERLOGDATEI | EXCERPT FROM SERVER LOGFILE

virtue-now.net/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.109.77 / Local-Port: 80)

bayern-polen.info/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.108.125 / Local-Port: 80)

report.txt

Reported-From: abuse-out@checkdomain.de Category: abuse Report-Type: hack-attack Service: http Version: 0.1 User-Agent: Checkdomain Express 0.19 Date: Sun, 19 Oct 2014 18:58:21 +0200 Source-Type: ipv4 Source: 199.231.184.26 Port: 80 Report-ID: 107111948337@checkdomain.de Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json Attachment: text/plain

#2 Mon, 10/20/2014 - 13:06

edwardsmarkf

sorry, having trouble with the forum interface today.

i took their German timestamps and subtracted six (for EST) but didnt see anything unusual in my log files during that time period.

here is what i am seeing in the 199-231-184-26.txt file that was sent to me:

|---------------------------------------------------------
| TIMESTAMP                  | ATTACKS             | Port  | TARGET-HOST                
|--------------------------------------------------------
| 2014-10-19T18:35:18+02:00  | backdoor scann      | 80    | host11.checkdomain.de      |
| 2014-10-18T23:40:55+02:00  | backdoor scann      | 80    | host11a.checkdomain.de     |
|---------------------------------------------------------
 
| BANNED HISTORY OF THIS IP-NUMBER
-----------------------------------------------------------------------------------------
199.231.184.26: this ip-number was never banned before
-----------------------------------------------------------------------------------------
EXCERPT FROM SERVER LOGFILE
virtue-now.net/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.109.77 / Local-Port: 80)
bayern-polen.info/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.108.125 / Local-Port: 80)

report.txt file:

---
Reported-From: abuse-out@checkdomain.de
Category: abuse
Report-Type: hack-attack
Service: http
Version: 0.1
User-Agent: Checkdomain Express 0.19
Date: Sun, 19 Oct 2014 18:58:21 +0200
Source-Type: ipv4
Source: 199.231.184.26
Port: 80
Report-ID: 107111948337@checkdomain.de
Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
Attachment: text/plain

Topic locked