Current time: 11-16-2024, 11:33 AM Hello There, Guest! (LoginRegister)


Post Reply 
possible Hack ispCP 1.0.5
Author Message
theprincy Offline
Member
***

Posts: 311
Joined: Nov 2008
Reputation: 2
Post: #11
RE: Hack IspcpOmega version 1.0.5
ispcp does not perform a database backup ispcp? it only does files etc/iscp and /var/www/ispcp ?
04-20-2010 04:03 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #12
RE: possible Hack ispCP 1.0.5
ls -la /var/www/ispcp/backups/

you don't have *.sql.* files in there? I do.

So maybe there were problems during backup of the ispcp database...

/J
04-20-2010 05:58 PM
Visit this user's website Find all posts by this user Quote this message in a reply
sakal Offline
Junior Member
*

Posts: 42
Joined: Mar 2010
Reputation: 0
Post: #13
RE: possible Hack ispCP 1.0.5
SQL BACKUP , Today file for example looks like : ispcp-2010.04.20-000008.sql.bz2
04-20-2010 10:14 PM
Find all posts by this user Quote this message in a reply
theprincy Offline
Member
***

Posts: 311
Joined: Nov 2008
Reputation: 2
Post: #14
RE: possible Hack ispCP 1.0.5
(04-20-2010 05:58 PM)joximu Wrote:  ls -la /var/www/ispcp/backups/

you don't have *.sql.* files in there? I do.

So maybe there were problems during backup of the ispcp database...

/J
only does files for etc/iscp and /var/www/ispcp ...
uff
04-21-2010 01:39 AM
Visit this user's website Find all posts by this user Quote this message in a reply
tomdooley Offline
Development Team
*****
Dev Team

Posts: 332
Joined: Sep 2007
Reputation: 7
Post: #15
RE: possible Hack ispCP 1.0.5
Quote:Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6 mod_perl/2.0.2 Perl/v5.8.8 Server at http://www.gruppocarige.it.ssl.cx Port 80

Hmmm, Debian Etch? Why PHP4? Thats not the ispCP default setup.

Whats the kernel release? I hope Etch-n-half...

Any changes made to master php.ini?

BTW 1: I would prefer to use PHP 5.
BTW 2: I would prefer to upgrade to Lenny, because of Etch is no more maintained.
04-21-2010 05:11 AM
Visit this user's website Find all posts by this user Quote this message in a reply
tomdooley Offline
Development Team
*****
Dev Team

Posts: 332
Joined: Sep 2007
Reputation: 7
Post: #16
RE: possible Hack ispCP 1.0.5
Quote: 24 -rwxrwxrwx 1 root root 22027 Mar 29 06:27 g.php

Files of ispCP are from 13-Apr-2010. Suspected files from 29-Mar-2010. Files have owner "root". If ispCP did/does has a soft-bug, the files should have the owner "vu2000" or "www-data" / "wwwrun".

If you are unblamable, you should completely reinstall server, because actually there are still Fake-Banking-Login forms at your server (thanks to Benedikt).

Also respect that you should use an actual distribution and always update the newest packages (apt-get update && apt-get upgrade). ispCP does not free you from administration of your server.
04-21-2010 07:10 AM
Visit this user's website Find all posts by this user Quote this message in a reply
theprincy Offline
Member
***

Posts: 311
Joined: Nov 2008
Reputation: 2
Post: #17
RE: possible Hack ispCP 1.0.5
(04-21-2010 05:11 AM)tomdooley Wrote:  
Quote:Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6 mod_perl/2.0.2 Perl/v5.8.8 Server at http://www.gruppocarige.it.ssl.cx Port 80

Hmmm, Debian Etch? Why PHP4? Thats not the ispCP default setup.

is a redirect from my server
(04-21-2010 07:10 AM)tomdooley Wrote:  
Quote: 24 -rwxrwxrwx 1 root root 22027 Mar 29 06:27 g.php

Files of ispCP are from 13-Apr-2010. Suspected files from 29-Mar-2010. Files have owner "root". If ispCP did/does has a soft-bug, the files should have the owner "vu2000" or "www-data" / "wwwrun".

If you are unblamable, you should completely reinstall server, because actually there are still Fake-Banking-Login forms at your server (thanks to Benedikt).

Also respect that you should use an actual distribution and always update the newest packages (apt-get update && apt-get upgrade). ispCP does not free you from administration of your server.


I use lenny, etch version is the server where the redirect is done in practice the index.php file of ispcp was a redirect to that server
(This post was last modified: 04-21-2010 05:28 PM by theprincy.)
04-21-2010 05:26 PM
Visit this user's website Find all posts by this user Quote this message in a reply
gOOvER Offline
Banned

Posts: 3,561
Joined: Jul 2007
Post: #18
RE: possible Hack ispCP 1.0.5
Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig Wink
04-21-2010 05:30 PM
Visit this user's website Find all posts by this user Quote this message in a reply
theprincy Offline
Member
***

Posts: 311
Joined: Nov 2008
Reputation: 2
Post: #19
RE: possible Hack ispCP 1.0.5
(04-21-2010 05:30 PM)gOOvER Wrote:  Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig Wink


ispCP is, use only ISPCP which I find very good (although it should improve a bit, but is making great steps, unfortunately I do not know programming well otherwise I would have given a hand), was first installed Webmin, ISPConfig I honestly do not remember having installed on that server but I found some of its folders.
Only thing is that you can not verify where they came because they deleted the server logs.
(04-21-2010 08:00 PM)theprincy Wrote:  
(04-21-2010 05:30 PM)gOOvER Wrote:  Is this really ispCP or ispconfig? I ASK this, because in your Imap Threads it's ispconfig Wink


ispCP is, use only ISPCP which I find very good (although it should improve a bit, but is making great steps, unfortunately I do not know programming well otherwise I would have given a hand), was first installed Webmin, ISPConfig I honestly do not remember having installed on that server but I found some of its folders.
Only thing is that you can not verify where they came because they deleted the server logs.

only log admin.mobile-we.....-access.log

Code:
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/b_docs.png HTTP/1.1" 200 761 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/b_home.png HTTP/1.1" 200 621 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/themes/omega/img/s_notice.png HTTP/1.1" 200 1063 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_arrows.gif HTTP/1.1" 200 94 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.307$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_woverlay.png HTTP/1.1" 200 768 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_boverlay.png HTTP/1.1" 200 799 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.$
93.65.200.211 - - [19/Apr/2010:14:03:24 +0200] "GET /pma/js/mooRainbow/images/moor_cursor.gif HTTP/1.1" 200 80 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.307$
109.113.181.146 - - [19/Apr/2010:14:03:28 +0200] "POST /blog/wp-admin/admin-ajax.php HTTP/1.1" 404 465 "http://www.unica-web-agency.com/blog/wp-admin/post-new.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; it; rv$
93.65.200.211 - - [19/Apr/2010:14:03:30 +0200] "GET /pma/index.php?db=ispcp&token=4baf645d071088a26dbb72e1f26dd210 HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/$
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/js/common.js HTTP/1.1" 200 13228 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/favicon.ico HTTP/1.1" 200 18902 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/favicon.ico HTTP/1.1" 200 18902 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/navigation.php?token=4baf645d071088a26dbb72e1f26dd210&db=ispcp HTTP/1.1" 200 3960 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Fir$
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/js/navigation.js HTTP/1.1" 200 4870 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/phpmyadmin.css.php?token=4baf645d071088a26dbb72e1f26dd210&js_frame=left&nocache=3815033894 HTTP/1.1" 200 5030 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv$
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/js/functions.js HTTP/1.1" 200 58852 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:32 +0200] "GET /pma/themes/omega/img/b_sbrowse.png HTTP/1.1" 200 550 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:31 +0200] "GET /pma/db_structure.php?token=4baf645d071088a26dbb72e1f26dd210&db=ispcp HTTP/1.1" 200 6900 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 F$
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/wbg_left.jpg HTTP/1.1" 200 528 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/logo_left.png HTTP/1.1" 200 11249 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_home.png HTTP/1.1" 200 621 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/s_loggoff.png HTTP/1.1" 200 768 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_selboard.png HTTP/1.1" 200 874 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/print.css HTTP/1.1" 200 1063 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/mootools.js HTTP/1.1" 200 92584 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/functions.js HTTP/1.1" 200 58852 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/phpmyadmin.css.php?token=4baf645d071088a26dbb72e1f26dd210&js_frame=right&nocache=3815033894 HTTP/1.1" 200 27490 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; $
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/js/tooltip.js HTTP/1.1" 200 5441 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_docs.png HTTP/1.1" 200 761 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_sqlhelp.png HTTP/1.1" 200 3068 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
216.104.15.142 - - [19/Apr/2010:14:03:33 +0200] "GET /x3.php HTTP/1.0" 404 773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_props.png HTTP/1.1" 200 841 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_search.png HTTP/1.1" 200 822 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_tblops.png HTTP/1.1" 200 504 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:33 +0200] "GET /pma/themes/omega/img/b_deltbl.png HTTP/1.1" 200 664 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:34 +0200] "GET /pma/themes/omega/img/s_asc.png HTTP/1.1" 200 372 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
93.65.200.211 - - [19/Apr/2010:14:03:34 +0200] "GET /pma/themes/omega/img/b_browse.png HTTP/1.1" 200 993 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

and

216.104.15.142 - - [19/Apr/2010:14:03:33 +0200] "GET /x3.php HTTP/1.0" 404 773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

x3.php is one of the files in the folder ispcp I'm seeing if I can retrieve a log file FTP to verify the situation, the log file access.log and error.log are not present
(This post was last modified: 04-21-2010 08:09 PM by theprincy.)
04-21-2010 08:00 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)