Guest Posted January 8, 2009 Share Posted January 8, 2009 While checking my server logs as I do each morning I came across this below. I was wondering if this is a coordinated attack as the same file was tried from different IPs even though the times are different. [Thu Jan 08 00:13:20 2009] [error] [client 217.113.52.248] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:19:18 2009] [error] [client 216.129.125.28] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:28:27 2009] [error] [client 74.222.1.158] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:34:53 2009] [error] [client 89.203.161.188] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:38:32 2009] [error] [client 89.203.161.188] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:42:59 2009] [error] [client 89.203.161.188] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 00:46:38 2009] [error] [client 89.203.161.188] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 01:08:37 2009] [error] [client 212.95.48.30] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 02:07:46 2009] [error] [client 66.79.168.134] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 02:19:39 2009] [error] [client 78.109.28.160] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 03:32:59 2009] [error] [client 89.149.242.52] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 03:38:14 2009] [error] [client 87.233.176.109] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 03:40:13 2009] [error] [client 94.102.51.155] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 04:08:25 2009] [error] [client 89.111.189.123] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 04:16:49 2009] [error] [client 38.103.144.26] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 04:53:08 2009] [error] [client 85.112.3.83] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 05:13:15 2009] [error] [client 217.157.240.82] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 05:35:42 2009] [error] [client 87.98.222.87] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 05:40:40 2009] [error] [client 87.98.222.87] File does not exist: C:/htdocs/mystorename/nonexistenshit [Thu Jan 08 05:50:29 2009] [error] [client 67.85.15.11] File does not exist: C:/htdocs/mystorename/nonexistenshit Doing a whois on a few of them show from all over: Russian Federation, United States, Spain , Denmark , France Thanks Link to comment Share on other sites More sharing options...
grunionfab Posted January 10, 2009 Share Posted January 10, 2009 I have been getting this message along with others 64.85.167.248 - - [08/Jan/2009:15:13:52 +0530] "GET /nonexistenshit HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"64.85.167.248 - - [08/Jan/2009:15:13:52 +0530] "GET /mail/bin/msgimport HTTP/1.1" 404 291 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 64.85.167.248 - - [08/Jan/2009:15:13:53 +0530] "GET /bin/msgimport HTTP/1.1" 404 286 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 64.85.167.248 - - [08/Jan/2009:15:13:54 +0530] "GET /rc/bin/msgimport HTTP/1.1" 404 289 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 64.85.167.248 - - [08/Jan/2009:15:13:55 +0530] "GET /roundcube/bin/msgimport HTTP/1.1" 404 296 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 64.85.167.248 - - [08/Jan/2009:15:13:56 +0530] "GET /webmail/bin/msgimport HTTP/1.1" 404 294 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 78.41.239.131 - - [08/Jan/2009:15:23:25 +0530] "GET /nonexistenshit HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 78.41.239.131 - - [08/Jan/2009:15:23:26 +0530] "GET /mail/bin/msgimport HTTP/1.1" 404 291 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" They say it is a vulnerability in roundcube.... http://www.webhostingtalk.com/showthread.php?p=5492684 Link to comment Share on other sites More sharing options...
Guest Posted January 11, 2009 Share Posted January 11, 2009 Thanks for reply. .Joel had given me the remidy yesterday via PM. I just got time to post back. The answer is on page 4 of that link above. Link to comment Share on other sites More sharing options...
mrgbd Posted February 13, 2009 Share Posted February 13, 2009 Thanks for reply..Joel had given me the remidy yesterday via PM. I just got time to post back. The answer is on page 4 of that link above. Albeit this is a bit older now but here's how I handled it at the time using instructions from here: http://www.microdevsys.com/WordPress/2009/...alicious-scans/ I've stumbled on this earlier, which worked out great for me for all sorts of issues like these. Besides the already mentioned suggestions, ModSecurity can take care of the issue for you as it happens so you could give it a shot. This will give you some long term protection as well for any such future problems while you work on patching your app. Regards, Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.