Hack Attempt?

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
User avatar
bubbathegimp
Registered User
Posts: 192
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Hack Attempt?

Post by bubbathegimp »

I was looking at the error log on my ISP provider, and noticed a file not found error for a subdomain setup for downloads.
Wp-login,php... (I don't use wordpress)
somebody trying to slip me the "Anal Probe"??
Last edited by thecoalman on Wed Apr 21, 2021 3:49 pm, edited 1 time in total.
Reason: Merged topics
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6669
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: Hack Attempt?

Post by HiFiKabin »

Just 'normal' SPAMbot activity in my experience. They look around any site for logon and register pages trying their luck.

As long as your anti spam measures are robust, and you have complex passwords for your admin account they will be left waiting at the door.
User avatar
bubbathegimp
Registered User
Posts: 192
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Script Kiddies??!!

Post by bubbathegimp »

Looks like I have another hack attempt....
Trying to access files that don't exist.
(Actual Directory structure edited)

Code: Select all

[Fri Apr 09 17:43:57.151006 2021] [:error] [pid 420843:tid 139724840216320] [client 91.241.19.175:41960] File does not exist: /home/name/public_html/linusadmin-phpinfo.php

[Fri Apr 09 17:43:47.725640 2021] [:error] [pid 420843:tid 139724857001728] [client 91.241.19.175:39814] File does not exist: /home/name/public_html/infos.php

[Fri Apr 09 17:43:08.627483 2021] [:error] [pid 420556:tid 139725008070400] [client 91.241.19.175:59368] File does not exist: /home/name/public_html/time.php

[Fri Apr 09 17:42:59.250833 2021] [:error] [pid 420843:tid 139725041641216] [client 91.241.19.175:57526] File does not exist: /home/name/public_html/phpversion.php

[Fri Apr 09 17:42:29.100358 2021] [:error] [pid 387425:tid 139724907357952] [client 91.241.19.175:51302] File does not exist: /home/name/public_html/i.php

[Fri Apr 09 17:42:09.765932 2021] [:error] [pid 389757:tid 139724940928768] [client 91.241.19.175:47288] File does not exist: /home/name/public_html/php_info.php

[Fri Apr 09 14:34:27.209106 2021] [:error] [pid 953635:tid 139725117175552] [client 176.111.51.85:50764] File does not exist: /home/name/public_html/gb.php

[Fri Apr 09 14:34:26.627411 2021] [cgid:error] [pid 947072:tid 139725108782848] [client 176.111.51.85:50761] AH01264: script not found or unable to stat: /home/name/public_html/g_book.cgi

[Fri Apr 09 14:34:25.564883 2021] [:error] [pid 948619:tid 139724940928768] [client 176.111.51.85:50748] File does not exist: /home/name/public_html/gaestebuch.php

[Fri Apr 09 14:34:24.499654 2021] [:error] [pid 953635:tid 139724697540352] [client 176.111.51.85:50730] File does not exist: /home/name/public_html/scarbook.php

[Fri Apr 09 14:34:23.968195 2021] [:error] [pid 947072:tid 139724991284992] [client 176.111.51.85:50725] File does not exist: /home/name/public_html/guestbook.php

[Fri Apr 09 14:34:23.439453 2021] [cgid:error] [pid 947072:tid 139724722718464] [client 176.111.51.85:50718] AH01264: script not found or unable to stat: /home/name/public_html/album.cgi

[Fri Apr 09 14:34:22.369967 2021] [:error] [pid 947072:tid 139724731111168] [client 176.111.51.85:50704] File does not exist: /home/name/public_html/jax_guestbook.php

[Fri Apr 09 14:34:21.841444 2021] [cgid:error] [pid 948619:tid 139724722718464] [client 176.111.51.85:50695] AH01264: script not found or unable to stat: /home/name/public_html/aska.cgi

[Fri Apr 09 14:34:20.783202 2021] [cgid:error] [pid 953635:tid 139724747896576] [client 176.111.51.85:50680] AH01264: script not found or unable to stat: /home/name/public_html/yybbs.cgi

[Fri Apr 09 14:34:20.215897 2021] [cgid:error] [pid 953635:tid 139724672362240] [client 176.111.51.85:50672] AH01264: script not found or unable to stat: /home/name/public_html/seo-joy.cgi

[Fri Apr 09 14:34:19.683259 2021] [:error] [pid 953635:tid 139724949321472] [client 176.111.51.85:50667] File does not exist: /home/name/public_html/Guestbook.php

[Fri Apr 09 14:34:18.597118 2021] [cgid:error] [pid 948619:tid 139725033248512] [client 176.111.51.85:50651] AH01264: script not found or unable to stat: /home/name/public_html/light.cgi

[Fri Apr 09 14:34:18.025285 2021] [:error] [pid 948619:tid 139724798252800] [client 176.111.51.85:50644] File does not exist: /home/name/public_html/gastenboek.php

[Fri Apr 09 14:34:17.448159 2021] [cgid:error] [pid 947072:tid 139724882179840] [client 176.111.51.85:50637] AH01264: script not found or unable to stat: /home/name/public_html/bbs.cgi

[Fri Apr 09 14:34:16.902389 2021] [:error] [pid 948619:tid 139725150746368] [client 176.111.51.85:50629] File does not exist: /home/name/public_html/guestbook.php

[Fri Apr 09 14:34:16.367637 2021] [:error] [pid 953635:tid 139724982892288] [client 176.111.51.85:50625] File does not exist: /home/name/public_html/home.php

[Fri Apr 09 14:34:15.805184 2021] [:error] [pid 947072:tid 139724932536064] [client 176.111.51.85:50621] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 14:34:14.736748 2021] [:error] [pid 948619:tid 139725066819328] [client 176.111.51.85:50611] File does not exist: /home/name/public_html/modules.php

[Fri Apr 09 14:34:14.205702 2021] [:error] [pid 953635:tid 139724697540352] [client 176.111.51.85:50606] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 14:34:13.634469 2021] [:error] [pid 953635:tid 139725008070400] [client 176.111.51.85:50603] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 10:08:48.877169 2021] [authz_core:error] [pid 179970:tid 139725050033920] [client 207.46.13.19:19584] AH01630: client denied by server configuration: /home/name/manuals.cornpone.net/Heathkit/error_log

[Fri Apr 09 09:09:41.964083 2021] [:error] [pid 1021679:tid 139725117175552] [client 184.154.76.23:39384] File does not exist: /home/name/public_html/viewtopic.php

[Fri Apr 09 09:09:40.115234 2021] [:error] [pid 1007122:tid 139724638791424] [client 184.154.76.23:38654] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 09:09:39.880583 2021] [authz_core:error] [pid 1001005:tid 139724773074688] [client 184.154.76.23:38514] AH01630: client denied by server configuration: /home/name/public_html/error_log

[Fri Apr 09 09:09:39.063606 2021] [:error] [pid 1008590:tid 139724898965248] [client 184.154.76.23:38128] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 09:09:38.281267 2021] [:error] [pid 1001005:tid 139725108782848] [client 184.154.76.23:37700] File does not exist: /home/name/public_html/index.php

[Fri Apr 09 09:09:38.029485 2021] [:error] [pid 1007122:tid 139724689147648] [client 184.154.76.23:37556] File does not exist: /home/name/public_html/viewforum.php

[Fri Apr 09 09:09:37.211603 2021] [:error] [pid 1008590:tid 139724915750656] [client 184.154.76.23:37186] File does not exist: /home/name/public_html/faq.php

[Fri Apr 09 09:09:36.376625 2021] [:error] [pid 1008590:tid 139724999677696] [client 184.154.76.23:36770] File does not exist: /home/name/public_html/viewforum.php

[Thu Apr 08 16:53:32.708794 2021] [:error] [pid 425078:tid 139725008070400] [client 45.251.35.233:7911] File does not exist: /home/name/manuals.cornpone.net/adminer.php

[Thu Apr 08 09:07:37.133396 2021] [:error] [pid 106736:tid 139725016463104] [client 184.154.139.47:46472] File does not exist: /home/name/public_html/ucp.php

[Thu Apr 08 09:07:36.821949 2021] [:error] [pid 106736:tid 139724781467392] [client 184.154.139.47:46338] File does not exist: /home/name/public_html/viewforum.php

[Thu Apr 08 09:07:36.298974 2021] [:error] [pid 117965:tid 139725150746368] [client 184.154.139.47:46068] File does not exist: /home/name/public_html/viewforum.php

[Thu Apr 08 09:07:36.035568 2021] [:error] [pid 115306:tid 139724705933056] [client 184.154.139.47:45944] File does not exist: /home/name/public_html/faq.php

[Thu Apr 08 09:07:35.541903 2021] [:error] [pid 117965:tid 139725117175552] [client 184.154.139.47:45732] File does not exist: /home/name/public_html/viewtopic.php

[Thu Apr 08 09:07:35.307318 2021] [:error] [pid 104941:tid 139724924143360] [client 184.154.139.47:45620] File does not exist: /home/name/public_html/memberlist.php

[Thu Apr 08 09:07:34.833398 2021] [:error] [pid 106736:tid 139725050033920] [client 184.154.139.47:45326] File does not exist: /home/name/public_html/viewforum.php

[Thu Apr 08 09:07:34.265930 2021] [:error] [pid 106736:tid 139724873787136] [client 184.154.139.47:45046] File does not exist: /home/name/public_html/index.php

[Thu Apr 08 09:07:33.227831 2021] [:error] [pid 117965:tid 139725133960960] [client 184.154.139.47:44454] File does not exist: /home/name/public_html/index.php, referer: http://www.google.com/url?url=www.cornpone.net&yahoo.com

[Thu Apr 08 07:45:22.690165 2021] [authz_core:error] [pid 894615:tid 139724764681984] [client 58.123.37.254:24189] AH01630: client denied by server configuration: /home/name/manuals.cornpone.net/Heathkit/error_log, referer: https://www.google.com/

[Thu Apr 08 06:04:23.868832 2021] [:error] [pid 607997:tid 139724848609024] [client 94.70.109.14:58034] File does not exist: /home/name/manuals.cornpone.net/wp-login.php

[Thu Apr 08 02:07:10.007755 2021] [authz_core:error] [pid 959674:tid 139724663969536] [client 104.231.33.212:57722] AH01630: client denied by server configuration: /home/name/manuals.cornpone.net/Heathkit/error_log

[Thu Apr 08 01:53:08.979684 2021] [authz_core:error] [pid 927092:tid 139725008070400] [client 104.231.33.212:57218] AH01630: client denied by server configuration: /home/name/manuals.cornpone.net/Heathkit/error_log, referer: https://www.google.com/    
This is why you put a forum in a subdomain, and not in the Public_html Folder
Read that bit of wisdom several years ago
So far, all the address I have tried to look up are all tied to a VPN
Last edited by thecoalman on Sat Apr 10, 2021 10:33 am, edited 1 time in total.
Reason: Added code tags. Please use code tags when posting code, logs etc.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Script Kiddies??!!

Post by thecoalman »

This is common and nothing to worry about unless you have vulnerable script or they are using too many resources. It's just a bot hitting multiple IP's within your hosts range or random domains from list they have, analogous to the robo caller that simply dials every phone number. Only action I have ever taken was blocking access to wp-admin.php or whatever it is, only because they were clogging up log files.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26455
Joined: Fri Aug 29, 2008 9:49 am

Re: Script Kiddies??!!

Post by Mick »

bubbathegimp wrote: Sat Apr 10, 2021 10:22 am This is why you put a forum in a subdomain
I’m not certain that’s correct, all that’s achieved with a subdomain is it’s regarded as a different site. For either root or subdomain to be ‘secure’ you need the correct security measures in place which your host should be handling.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Script Kiddies??!!

Post by thecoalman »

Putting something like a forum in a sub domain is old SEO trick because it would typically rank higher than putting it in sub directory of the domain. This would still have to work to some degree. There is lot of content out there that is truly separate than main domain especially for universities and government sites.

Never considered it as security measure, security through obscurity always works to some degree becsue these probes are scripted. It's going to depend on how they are compiling their list for what they are requesting. For example if they were running the bot across a range of IP's the sub domain would never enter the picture. Why they would do this is a lot VPS/dedicated servers are setup to spit pit out default domain when a request comes though the IP. Typically bigger fish to fry than shared hosts.

Gnerally speaking not something I would do just to try and help secure something. You are still going to see these requests sub domain or not.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
JLA
Registered User
Posts: 606
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: Script Kiddies??!!

Post by JLA »

Don't worry. We see 10's of thousands of these day. If you have good security and code - then they are nothing but nats.
User avatar
JLA
Registered User
Posts: 606
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: Hack Attempt?

Post by JLA »

This is a real old bot - we've seen it for the last decade at least I think. Nothing to worry about.
User avatar
obfuscated
Registered User
Posts: 71
Joined: Tue Dec 17, 2019 5:20 pm

Re: Hack Attempt?

Post by obfuscated »

bubbathegimp wrote: Tue Feb 02, 2021 1:05 pm I was looking at the error log on my ISP provider, and noticed a file not found error for a subdomain setup for downloads.
Wp-login,php... (I don't use wordpress)
somebody trying to slip me the "Anal Probe"??
For what it's worth when I see activity like that I usually block those IP addresses
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Hack Attempt?

Post by thecoalman »

These requests are usually coming from compromised machines so the IP's are constantly changing. Unless you have automated response to block the IP it's largely useless effort. mod_security for example can do this but it's usually for set time limit because you will end up with some ridiculous amount of IP's blocked requiring a lot of server resources. I use Cloudfllare and use a page rule to block these requests but only so they aren't clogging up my logs. As someone mentioned above they are like gnats, mostly harmless but really annoying.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “General Discussion”