RE: Hack IspcpOmega version 1.0.5 - theprincy - 04-20-2010 04:03 AM
ispcp does not perform a database backup ispcp? it only does files etc/iscp and /var/www/ispcp ?
RE: possible Hack ispCP 1.0.5 - joximu - 04-20-2010 05:58 PM
ls -la /var/www/ispcp/backups/
you don't have *.sql.* files in there? I do.
So maybe there were problems during backup of the ispcp database...
/J
RE: possible Hack ispCP 1.0.5 - sakal - 04-20-2010 10:14 PM
SQL BACKUP , Today file for example looks like : ispcp-2010.04.20-000008.sql.bz2
RE: possible Hack ispCP 1.0.5 - theprincy - 04-21-2010 01:39 AM
(04-20-2010 05:58 PM)joximu Wrote: ls -la /var/www/ispcp/backups/
you don't have *.sql.* files in there? I do.
So maybe there were problems during backup of the ispcp database...
/J
only does files for etc/iscp and /var/www/ispcp ...
uff
RE: possible Hack ispCP 1.0.5 - tomdooley - 04-21-2010 05:11 AM
Quote:Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6 mod_perl/2.0.2 Perl/v5.8.8 Server at http://www.gruppocarige.it.ssl.cx Port 80
Hmmm, Debian Etch? Why PHP4? Thats not the ispCP default setup.
Whats the kernel release? I hope Etch-n-half...
Any changes made to master php.ini?
BTW 1: I would prefer to use PHP 5.
BTW 2: I would prefer to upgrade to Lenny, because of Etch is no more maintained.
RE: possible Hack ispCP 1.0.5 - tomdooley - 04-21-2010 07:10 AM
Quote: 24 -rwxrwxrwx 1 root root 22027 Mar 29 06:27 g.php
Files of ispCP are from 13-Apr-2010. Suspected files from 29-Mar-2010. Files have owner "root". If ispCP did/does has a soft-bug, the files should have the owner "vu2000" or "www-data" / "wwwrun".
If you are unblamable, you should completely reinstall server, because actually there are still Fake-Banking-Login forms at your server (thanks to Benedikt).
Also respect that you should use an actual distribution and always update the newest packages (apt-get update && apt-get upgrade). ispCP does not free you from administration of your server.
RE: possible Hack ispCP 1.0.5 - theprincy - 04-21-2010 05:26 PM
(04-21-2010 05:11 AM)tomdooley Wrote: Quote:Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6 mod_perl/2.0.2 Perl/v5.8.8 Server at http://www.gruppocarige.it.ssl.cx Port 80
Hmmm, Debian Etch? Why PHP4? Thats not the ispCP default setup.
is a redirect from my server
(04-21-2010 07:10 AM)tomdooley Wrote: Quote: 24 -rwxrwxrwx 1 root root 22027 Mar 29 06:27 g.php
Files of ispCP are from 13-Apr-2010. Suspected files from 29-Mar-2010. Files have owner "root". If ispCP did/does has a soft-bug, the files should have the owner "vu2000" or "www-data" / "wwwrun".
If you are unblamable, you should completely reinstall server, because actually there are still Fake-Banking-Login forms at your server (thanks to Benedikt).
Also respect that you should use an actual distribution and always update the newest packages (apt-get update && apt-get upgrade). ispCP does not free you from administration of your server.
I use lenny, etch version is the server where the redirect is done in practice the index.php file of ispcp was a redirect to that server
RE: possible Hack ispCP 1.0.5 - gOOvER - 04-21-2010 05:30 PM
Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig
RE: possible Hack ispCP 1.0.5 - theprincy - 04-21-2010 08:00 PM
(04-21-2010 05:30 PM)gOOvER Wrote: Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig
ispCP is, use only ISPCP which I find very good (although it should improve a bit, but is making great steps, unfortunately I do not know programming well otherwise I would have given a hand), was first installed Webmin, ISPConfig I honestly do not remember having installed on that server but I found some of its folders.
Only thing is that you can not verify where they came because they deleted the server logs.
(04-21-2010 08:00 PM)theprincy Wrote: (04-21-2010 05:30 PM)gOOvER Wrote: Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig
ispCP is, use only ISPCP which I find very good (although it should improve a bit, but is making great steps, unfortunately I do not know programming well otherwise I would have given a hand), was first installed Webmin, ISPConfig I honestly do not remember having installed on that server but I found some of its folders.
Only thing is that you can not verify where they came because they deleted the server logs.
only log admin.mobile-we.....-access.log
Code:
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/b_docs.png HTTP/1.1" 200 761 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/b_home.png HTTP/1.1" 200 621 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/s_notice.png HTTP/1.1" 200 1063 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_arrows.gif HTTP/1.1" 200 94 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.307$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_woverlay.png HTTP/1.1" 200 768 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_boverlay.png HTTP/1.1" 200 799 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_cursor.gif HTTP/1.1" 200 80 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.307$
109.113.181.146 - - [19/Apr/2010:14:03:28 +0200] "POST /blog/wp-admin/admin-ajax.php HTTP/1.1" 404 465 "http://www.unica-web-agency.com/blog/wp-admin/post-new.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; it; rv$
93.65.200.211 - - [19/Apr/2010:14:03:30 +0200] "GET /pma/index.php?db=ispcp&token=4baf645d071088a26dbb72e1f26dd210 HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/$
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/js/common.js HTTP/1.1" 200 13228 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/favicon.ico HTTP/1.1" 200 18902 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/favicon.ico HTTP/1.1" 200 18902 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/navigation.php?token=4baf645d071088a26dbb72e1f26dd210&db=ispcp HTTP/1.1" 200 3960 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Fir$
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/js/navigation.js HTTP/1.1" 200 4870 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/phpmyadmin.css.php?token=4baf645d071088a26dbb72e1f26dd210&js_frame=left&nocache=3815033894 HTTP/1.1" 200 5030 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv$
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/js/functions.js HTTP/1.1" 200 58852 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/themes/omega/img/b_sbrowse.png HTTP/1.1" 200 550 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/db_structure.php?token=4baf645d071088a26dbb72e1f26dd210&db=ispcp HTTP/1.1" 200 6900 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 F$
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/wbg_left.jpg HTTP/1.1" 200 528 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/logo_left.png HTTP/1.1" 200 11249 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_home.png HTTP/1.1" 200 621 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/s_loggoff.png HTTP/1.1" 200 768 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_selboard.png HTTP/1.1" 200 874 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/print.css HTTP/1.1" 200 1063 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/mootools.js HTTP/1.1" 200 92584 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/functions.js HTTP/1.1" 200 58852 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/phpmyadmin.css.php?token=4baf645d071088a26dbb72e1f26dd210&js_frame=right&nocache=3815033894 HTTP/1.1" 200 27490 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; $
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/tooltip.js HTTP/1.1" 200 5441 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_docs.png HTTP/1.1" 200 761 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_sqlhelp.png HTTP/1.1" 200 3068 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
216.104.15.142 - - [19/Apr/2010:14:03:33 +0200] "GET /x3.php HTTP/1.0" 404 773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_props.png HTTP/1.1" 200 841 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_search.png HTTP/1.1" 200 822 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_tblops.png HTTP/1.1" 200 504 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_deltbl.png HTTP/1.1" 200 664 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:34 +0200] "GET /pma/themes/omega/img/s_asc.png HTTP/1.1" 200 372 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:34 +0200] "GET /pma/themes/omega/img/b_browse.png HTTP/1.1" 200 993 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
and
216.104.15.142 - - [19/Apr/2010:14:03:33 +0200] "GET /x3.php HTTP/1.0" 404 773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
x3.php is one of the files in the folder ispcp I'm seeing if I can retrieve a log file FTP to verify the situation, the log file access.log and error.log are not present
|