thr3ads.net - CentOS - [CentOS] I guess hacker me

If this information is useful, please help other people find it:
Share via:

Alexander Dalloz

2006-Jan-30 17:28 UTC

[CentOS] I guess hacker me - URGENT

Am Mo, den 30.01.2006 schrieb Adriano Frare um 19:17:
> I use Centos 4.2 with all service pack installed. I verified traffic on 
> link WEB and I see port TCP 80 with many traffic.
> 
> I accessed lod /var/log/httpd/access_log and show below.
> 
> ca.com/members/index.php HTTP/1.0" 401 - 
> "http://members.sapphicerotica.com/members/index.php"
"Mozilla/5.0 (
> compatible; MSIE 5.01; Windows XP; NetCaptor )"
> 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=NsyncAngel9&passwd=xxxx
> HTTP/1.0" 200 9794 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=CoolPimP2&passwd=xxxx
> HTTP/1.0" 200 9786 "-" "-"
> 80.144.212.33 - - [30/Jan/2006:15:08:09 -0200] "GET 
> http://www.995members.com/members/ HTTP/1.0" 401 472 
> "http://www.995members.com" "Mozilla/5.0 ( Windows; U;
Windows NT5.1;
> DigiExt )"
> 68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool19999&passwd=xxxx
> HTTP/1.0" 200 9786 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:12 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=COOL699&passwd=xxxx
> HTTP/1.0" 200 9786 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:13 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=COOL696&passwd=xxxx
> HTTP/1.0" 200 9786 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:14 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool1875&passwd=xxxx
> HTTP/1.0" 200 9786 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:16 -0200] "GET 
>
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool69_&passwd=xxxx
> HTTP/1.0" 999 4445 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:17 -0200] "GET 
>
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool6665&passwd=xxxx
> HTTP/1.0" 999 4445 "-" "-"
> 68.119.110.138 - - [30/Jan/2006:15:08:18 -0200] "GET 
>
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cooldrugs7&passwd=xxxx
> HTTP/1.0" 999 4445 "-" "-"
> 82.39.175.52 - - [30/Jan/2006:15:08:35 -0200] "GET 
>
http://l1.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=big_b_mt_biker&passwd=123456
> HTTP/1.0" 502 961 "-" "-"
> 80.144.212.33 - - [30/Jan/2006:15:08:43 -0200] "GET 
> http://www.995members.com/members/ HTTP/1.0" 401 472 
> "http://www.995members.com" "Mozilla/5.0 ( Windows; U;
Windows NT5.1;
> DigiExt )"
> 12.206.3.132 - - [30/Jan/2006:15:08:46 -0200] "GET 
>
http://us.a1.yimg.com/login.bjs.yahoo.com/config/login?login=big_g_&passwd=321liftoff
> HTTP/1.0" 200 4440 "http://www.yahoo.com/" "-"
> 84.109.4.111 - - [30/Jan/2006:15:08:51 -0200] "CONNECT
login.icq.com:443
> HTTP/1.0" 200 - "-" "-"
> 
> 
> 
> I guess that hacker is using my SERVR APACHE to PROXY.
Correct. The log provided show that. Looks like your host is already
known to a crowd of misusers or the one who found you is already using
several hosts to do his actions (see the originating IPs).
> Please, I need help urgent.
What do you expect? We don't know your Apache setup. Go through your
httpd.conf and included configuration files and deactivate proxying - or
at least make it secure if you need it for specific tasks.
> I stoped service HTTPD because it.
Good.
> Adriano
Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 18:21:38 up 56 days, 22:58, load average: 0.16, 0.16, 0.11 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060130/7905f069/attachment-0005.sig>

Les Mikesell

2006-Jan-30 17:37 UTC

head link

[CentOS] I guess hacker me - URGENT

On Mon, 2006-01-30 at 12:17, Adriano Frare wrote:> I use Centos 4.2 with all service pack installed. I verified traffic on 
> link WEB and I see port TCP 80 with many traffic.
> 
> I accessed lod /var/log/httpd/access_log and show below.
> 
> ca.com/members/index.php HTTP/1.0" 401 - 
> "http://members.sapphicerotica.com/members/index.php"
"Mozilla/5.0 (
> compatible; MSIE 5.01; Windows XP; NetCaptor )"
> 68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET 
>
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=NsyncAngel9&passwd=xxxx
> HTTP/1.0" 200 9794 "-" "-"
> 
> I guess that hacker is using my SERVR APACHE to PROXY.
The stock httpd.conf should have the
#ProxyRequests On
entry commented out as above.  If you need to have it enabled
you should control access with 'allow from' directives:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

-- 
  Les Mikesell
   lesmikesell at gmail.com

Adriano Frare

2006-Jan-30 18:17 UTC

head link

[CentOS] I guess hacker me - URGENT

I use Centos 4.2 with all service pack installed. I verified traffic on 
link WEB and I see port TCP 80 with many traffic.

I accessed lod /var/log/httpd/access_log and show below.

ca.com/members/index.php HTTP/1.0" 401 - 
"http://members.sapphicerotica.com/members/index.php"
"Mozilla/5.0 (
compatible; MSIE 5.01; Windows XP; NetCaptor )"
68.119.110.138 - - [30/Jan/2006:15:08:08 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=NsyncAngel9&passwd=xxxx
HTTP/1.0" 200 9794 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=CoolPimP2&passwd=xxxx
HTTP/1.0" 200 9786 "-" "-"
80.144.212.33 - - [30/Jan/2006:15:08:09 -0200] "GET 
http://www.995members.com/members/ HTTP/1.0" 401 472 
"http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows
NT5.1;
DigiExt )"
68.119.110.138 - - [30/Jan/2006:15:08:10 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool19999&passwd=xxxx
HTTP/1.0" 200 9786 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:12 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=COOL699&passwd=xxxx
HTTP/1.0" 200 9786 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:13 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=COOL696&passwd=xxxx
HTTP/1.0" 200 9786 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:14 -0200] "GET 
http://211.115.101.253/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool1875&passwd=xxxx
HTTP/1.0" 200 9786 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:16 -0200] "GET 
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool69_&passwd=xxxx
HTTP/1.0" 999 4445 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:17 -0200] "GET 
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cool6665&passwd=xxxx
HTTP/1.0" 999 4445 "-" "-"
68.119.110.138 - - [30/Jan/2006:15:08:18 -0200] "GET 
http://216.109.126.252/config/login?.done=http://smallbusiness.yahoo.com/services/index.php&.src=sbs&login=Cooldrugs7&passwd=xxxx
HTTP/1.0" 999 4445 "-" "-"
82.39.175.52 - - [30/Jan/2006:15:08:35 -0200] "GET 
http://l1.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=big_b_mt_biker&passwd=123456
HTTP/1.0" 502 961 "-" "-"
80.144.212.33 - - [30/Jan/2006:15:08:43 -0200] "GET 
http://www.995members.com/members/ HTTP/1.0" 401 472 
"http://www.995members.com" "Mozilla/5.0 ( Windows; U; Windows
NT5.1;
DigiExt )"
12.206.3.132 - - [30/Jan/2006:15:08:46 -0200] "GET 
http://us.a1.yimg.com/login.bjs.yahoo.com/config/login?login=big_g_&passwd=321liftoff
HTTP/1.0" 200 4440 "http://www.yahoo.com/" "-"
84.109.4.111 - - [30/Jan/2006:15:08:51 -0200] "CONNECT login.icq.com:443 
HTTP/1.0" 200 - "-" "-"



I guess that hacker is using my SERVR APACHE to PROXY.


Please, I need help urgent.


I stoped service HTTPD because it.


Thanks

Adriano

Apparently Analagous Threads

Search for more apparently analagous threads

CentOS - Jan 2006 - I guess hacker me - URGENT

[CentOS] I guess hacker me - URGENT

[CentOS] I guess hacker me - URGENT

[CentOS] I guess hacker me - URGENT

Apparently Analagous Threads