iEntry 10th Anniversary Forum Rules Search
WebProWorld
Register FAQ Calendar Mark Forums Read
Go Back   WebProWorld > Webmaster, IT and Security Discussion > Internet Security Discussion Forum
Log concerns
Index Link To US Private Messages Archive FAQ RSS
Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help.

Share Thread: & Tags

Share Thread:

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-08-2009, 02:15 PM
WebProWorld New Member
  
Join Date: Dec 2008
Posts: 5
sleepy22 RepRank 0
Default Log concerns
Hello,

Please see the log entries below. I am a low tech webmaster. They look suspicious in that the get commands seem to be looking they ought not to. How can I block these type of commands please?

67.159.44.179 - - [08/Jan/2009:09:45:52 -0500] "GET /nonexistenshit HTTP/1.1" 301 325 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.159.44.179 - - [08/Jan/2009:09:45:53 -0500] "GET /mail/bin/msgimport HTTP/1.1" 301 329 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.159.44.179 - - [08/Jan/2009:09:45:53 -0500] "GET /bin/msgimport HTTP/1.1" 301 324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.159.44.179 - - [08/Jan/2009:09:45:53 -0500] "GET /rc/bin/msgimport HTTP/1.1" 301 327 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.159.44.179 - - [08/Jan/2009:09:45:53 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 301 334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.159.44.179 - - [08/Jan/2009:09:45:53 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 301 332 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
209.160.20.37 - - [08/Jan/2009:10:22:46 -0500] "GET / HTTP/1.1" 200 18170 "-" "PycURL/7.18.0"
66.249.67.106 - - [08/Jan/2009:10:32:35 -0500] "GET /images/ID-Theft.jpg HTTP/1.1" 304 - "-" "Googlebot-Image/1.0"
92.48.127.158 - - [08/Jan/2009:10:34:34 -0500] "GET /nonexistenshit HTTP/1.1" 301 325 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.127.158 - - [08/Jan/2009:10:34:34 -0500] "GET /mail/bin/msgimport HTTP/1.1" 301 329 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.127.158 - - [08/Jan/2009:10:34:35 -0500] "GET /bin/msgimport HTTP/1.1" 301 324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.127.158 - - [08/Jan/2009:10:34:35 -0500] "GET /rc/bin/msgimport HTTP/1.1" 301 327 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.127.158 - - [08/Jan/2009:10:34:36 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 301 334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.127.158 - - [08/Jan/2009:10:34:36 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 301 332 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.198.252.124 - - [08/Jan/2009:10:51:39 -0500] "GET /essay_internet_defamation_libel.html HTTP/1.1" 206 32214 "http://www.cjb.net/" "CJB.NET"
65.55.217.43 - - [08/Jan/2009:11:26:04 -0500] "GET /robots.txt HTTP/1.1" 404 8301 "-" "msnbot-media/1.1 (+http://search.msn.com/msnbot.htm)"
65.55.217.43 - - [08/Jan/2009:11:26:04 -0500] "GET /index.html HTTP/1.1" 200 18170 "-" "msnbot-media/1.1 (+http://search.msn.com/msnbot.htm)"
67.215.231.250 - - [08/Jan/2009:11:31:36 -0500] "GET /nonexistenshit HTTP/1.1" 301 325 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.215.231.250 - - [08/Jan/2009:11:31:36 -0500] "GET /mail/bin/msgimport HTTP/1.1" 301 329 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.215.231.250 - - [08/Jan/2009:11:31:36 -0500] "GET /bin/msgimport HTTP/1.1" 301 324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.215.231.250 - - [08/Jan/2009:11:31:36 -0500] "GET /rc/bin/msgimport HTTP/1.1" 301 327 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.215.231.250 - - [08/Jan/2009:11:31:36 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 301 334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
67.215.231.250 - - [08/Jan/2009:11:31:40 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 301 332 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
119.63.193.56 - - [08/Jan/2009:11:35:59 -0500] "GET /robots.txt HTTP/1.1" 404 8301 "-" "Baiduspider+(+http://www.baidu.com/search/spider_jp.html)"
61.19.246.92 - - [08/Jan/2009:11:43:46 -0500] "GET /nonexistenshit HTTP/1.1" 301 325 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
61.19.246.92 - - [08/Jan/2009:11:43:47 -0500] "GET /mail/bin/msgimport HTTP/1.1" 301 329 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
61.19.246.92 - - [08/Jan/2009:11:43:47 -0500] "GET /bin/msgimport HTTP/1.1" 301 324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
61.19.246.92 - - [08/Jan/2009:11:43:48 -0500] "GET /rc/bin/msgimport HTTP/1.1" 301 327 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
61.19.246.92 - - [08/Jan/2009:11:43:48 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 301 334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
61.19.246.92 - - [08/Jan/2009:11:43:49 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 301 332 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:58 -0500] "GET /nonexistenshit HTTP/1.1" 301 325 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:58 -0500] "GET /mail/bin/msgimport HTTP/1.1" 301 329 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:58 -0500] "GET /bin/msgimport HTTP/1.1" 301 324 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:58 -0500] "GET /rc/bin/msgimport HTTP/1.1" 301 327 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:59 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 301 334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
89.149.209.98 - - [08/Jan/2009:11:45:59 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 301 332 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
92.48.203.116 - - [08/Jan/2009:12:20:50 -0500] "GET /contact.html HTTP/1.1" 200 52018 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
92.48.203.116 - - [08/Jan/2009:12:20:51 -0500] "POST /PHPMailer.php HTTP/1.1" 200 7768 "http://www.rexxfield.com/contact.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
92.48.203.116 - - [08/Jan/2009:12:20:52 -0500] "GET /PHPMailer.php HTTP/1.1" 200 6795 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
92.48.203.116 - - [08/Jan/2009:12:20:53 -0500] "GET /contact.html HTTP/1.1" 200 52018 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Last edited by wige; 01-08-2009 at 02:19 PM.
Reply With Quote
  #2 (permalink)  
Old 01-08-2009, 02:23 PM
wige's Avatar
Moderator
WebProWorld Moderator
  
Join Date: Jun 2006
Location: United States
Posts: 2,648
wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9
Default Re: Log concerns
Its a scan, attempting to find and exploit a zero-day vulnerability (just discovered either today or yesterday) in a system called Roundcube, a mailing system used by some web servers. If you don't have Roundcube, you are fine. Otherwise, update your installation. Now.

Go here for some additional information: http://www.webhostingtalk.com/showthread.php?p=5491823. There does not seem to be much info available right now, except that roundcube detection just got added to a lot of botnets. It is being theorized that Roundcube might be a platform that might be used to launch attacks against scripts in the /bin/ folder, to gain privileges on target servers.
__________________
The best way to learn anything, is to question everything.
Last edited by wige; 01-08-2009 at 02:29 PM.
Reply With Quote
Reply

  WebProWorld > Webmaster, IT and Security Discussion > Internet Security Discussion Forum

« re-write URLs | Police get new hacking powers »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hosting concerns jimkelly7777 Hosting Issues 2 07-18-2008 02:23 PM
Where Should I Put Copyright Concerns??? shameshame WebProWorld: Guidelines/Announcements/Suggestions 2 02-07-2006 07:41 AM
SEO Concerns for Database Structure MarcieZoob Database Discussion Forum 4 12-09-2004 03:38 PM
Questions and concerns KaZ Search Engine Optimization Forum 4 07-26-2004 05:00 PM


All times are GMT -4. The time now is 11:21 AM.

WebProWorld - Archive - Top

WebProWorld | Advertise | Contact Us | About | Forum Rules | MVP's | Archive | Newsletter Archive | Top | WebProNews
WebProWorld is an iEntry, Inc. ® site - © 2009 All Rights Reserved Privacy Policy and Legal
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509

Search Engine Optimization by vBSEO 3.3.0