Porn sites in httpd log??? hacked??

Discussion in 'Plesk 7.0 Troubleshooting and Problems' started by BillionNamesGod, Apr 28, 2004.

  1. I'm really baffled, I'm viewing the current log entries,
    and I'm seeing porn sites all over the place, that aren't on my server!!!

    I thought I had been hacked, and someone was hosting porn sites, on my server, but I think that isn't it.

    Then I noticed all domain.com/webstats are fully exposed!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    No passwords! Could that be a reason?

    help!!!!
     
  2. hardweb

    hardweb Guru

    Messages:
    3,558
    Webstats are exposed in the normal installation, but this doesn't explain it. Search the files you see in the logs on your server.
     
  3. not sure?

    Not sure what you mean, I'm just seeing URLS here:

    tail httpd.conf


    where are they coming from?
     
  4. Cranky

    Cranky Guru

    Messages:
    2,657
    Copy and paste an example.
     
  5. affiliates?

    This is really slowing down and killing the server, client sites are grinding to a halt - help!

    (Dual Xeon, 1GB RAM, RedHat, Plesk7) so if anyone can help or offer fix service please help me:

    It seems to be loads of different affiliate sites mostly porn:


    tail access_log:


    212.175.6.142 - - [29/Apr/2004:18:01:11 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
    212.202.38.221 - - [29/Apr/2004:18:01:12 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
    66.163.132.7 - - [29/Apr/2004:18:01:12 +0100] "GET http://l4.yahoo.com /config/login?&.done=http://pg1.yahoo.com/raw?dp=mail&login=doooo_129&passwd=lkjhgf&n=1 HTTP/1.0" 200 15929 "-" "-"
    68.62.27.19 - - [29/Apr/2004:18:01:12 +0100] "GET http://e7.msg.yahoo.com/config/login?.src=bl&login=killer_&passwd=abby&n=1 HTTP/1.0" 502 1019 "-" "-"
    218.80.78.175 - - [29/Apr/2004:18:01:13 +0100] "GET http://clickserve.cc-dt.com/link/banner?lid=41000000002080296 HTTP/1.0" 302 0 "http://www.arroundmedia.com" "Mozilla/4.0 (compatible; MSIE 5.02; Windows 98)"
    212.235.21.86 - - [29/Apr/2004:18:01:12 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
    218.93.0.171 - - [29/Apr/2004:18:01:13 +0100] "GET http://impnl.tradedoubler.com/imp/img/160058/981671 HTTP/1.0" 302 254 "http://auto-vervoer.startkabel.nl/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
    66.115.201.197 - - [29/Apr/2004:18:01:13 +0100] "GET http://www.onlinepharmacyindex.com HTTP/1.0" 200 28226 "-" "-"
    65.240.163.10 - - [29/Apr/2004:18:01:14 +0100] "GET http://login.yahoo.com/config/login...er/pager2.shtml&login=gwilliams44&passwd=1234 HTTP/1.0" 999 1195 "-" "-"
    80.71.72.35 - - [29/Apr/2004:18:01:14 +0100] "GET http://www.adultfriendfinder.com/ HTTP/1.0" 200 30877 "-" "-"
    213.54.253.156 - - [29/Apr/2004:18:04:24 +0100] "GET http://www.modfxmodels.com/members/index HTTP/1.0" 302 325 "" "Mozilla/4.0"
    172.134.180.36 - - [29/Apr/2004:18:04:25 +0100] "GET http://login.europe.yahoo.com/confi.../pager2.shtml&login=SkA_gIrL420&passwd=pancho HTTP/1.0" 999 1195 "-" "-"
    67.15.6.71 - - [29/Apr/2004:17:49:52 +0100] "CONNECT 205.188.9.136:443 HTTP/1.0" 200 - "-" "-"
    217.57.192.164 - - [29/Apr/2004:18:04:25 +0100] "CONNECT login.icq.com:443 HTTP/1.0" 200 - "-" "-"
    67.172.20.68 - - [29/Apr/2004:18:04:35 +0100] "GET http:///config/login?.redir_from=PR...r/pager2.shtml&login=dragon_slayer829&passwd=! HTTP/1.0" 400 1002 "-" "-"
    66.115.201.197 - - [29/Apr/2004:18:04:20 +0100] "GET http://data.alexa.com/data/Pq3b012e...=0&vis=1&rq=0&url=http://www.hotbeachboys.com HTTP/1.0" 200 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
    24.229.128.200 - - [29/Apr/2004:18:04:25 +0100] "HEAD http://www.titanicxxx.com/titanic/index.html HTTP/1.0" 200 0 "http://www.titanicxxx.com/titanic/index.html" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; athome0107 )"
    68.41.5.187 - - [29/Apr/2004:18:04:36 +0100] "GET www.mikewhitty.com HTTP/1.0" 400 1017 "-" "-"
     
  6. Experience

    has anyone experience this problem before?
    seems really really odd! Slowing server right down!

    Is there any diagnostic tools available?
     
  7. help

    Are they any UK Plesk Sysadmin that can help me here?
     
  8. cyberdude

    cyberdude Kilo Poster

    Messages:
    60
    what version of linux are u using 7.3 or 9
     
  9. EnigmaX

    EnigmaX Tera Poster

    Messages:
    381
    check again

    like the prev. post check your admin end of plesk and see
    what domains you have and how many than check your
    httpd.conf and see if they are any there, or httpd.include.

    Maybe you didn't get hacked and you got a user that
    uploaded a site that's porn and got massive hits?

    You should check out and install tripwire and
    some other tools like chkrootkit or other security stuff.
    But if your machine is comprised already the tools are
    useless.

    Did you keep your box updated (up2date) or yum?
    and again What O/S version you running, plesk and such.
     

Share This Page