hack versuch? kein zugang mehr zum ispcp
Author Message
hack versuch? kein zugang mehr zum ispcp
heute morgen hat jemand versucht sich auf meinen server zu hacken. dabei ging der apache down und liess ich nicht mehr starten. fehlermeldung war er faende die dayeo nicht mehr. gut, dachte ich. habe ich die einfach neu erstellt. nun laufen die domains wieder, aber ich kann das ispcp nicht mehr aufrufen. der deamopn laeuft, aber sobald dich die seite fuer den login aufrufe bekomme ich folgendes:

The requested URL / was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

die domain wurde ja lediglich fuer das ispcp genutzt.
ich haeng mal die errorlog ds apache mit ran. vielleicht weis jemand wie ich das loesen kann.
installiert ist (noch) rc5 auf etch.

08-10-2008 11:33 PM
RE: hack versuch? kein zugang mehr zum ispcp
wenn du aber die ip deines servers aufrufst dann ist der login da

irgend was an der domain/dns eintrag verändert?
08-11-2008 12:21 AM
RE: hack versuch? kein zugang mehr zum ispcp
ja. dann ist der da. geaendert hab ich nichts. komisch ist ja das der apache sich weigerte zu starten weil die fehlte. die war meines wissens nach noch nie da, weil die domain ja nicht eingerichtet wurde, sondern lediglich beim install des ispcp angegeben wurden.
ich denke mal das ich den login nicht mehr aufrufen kann weil ich die conf dafuer eingefuegt habe in /etc/apache2/ispcp um den apache starten zu koennen. nun ist die da und die anderen domains laufen wieder. nur komm ich ueber die herkoemmliche adresse nicht mehr ins interface. wieso nicht? kein plan.
08-11-2008 12:42 AM
RE: hack versuch? kein zugang mehr zum ispcp
was steht in deiner

scheint als fände er dein htdocs verzeichnis nicht.
08-11-2008 10:48 PM
RE: hack versuch? kein zugang mehr zum ispcp
ich sehe in deiner error log noch mehr sachen die in deinem server im argen sind und
nicht nur diese einträge...
[Sun Aug 10 02:46:44 2008] [error] [client] File does not exist: /htdocs

sondern auch diese:
[Sun Aug 10 02:43:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)
08-11-2008 11:08 PM
RE: hack versuch? kein zugang mehr zum ispcp
[Sun Aug 10 02:43:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)

solche logs habe ich auch, teilweise, was ist das?
08-12-2008 02:06 AM
RE: hack versuch? kein zugang mehr zum ispcp
also in der master.conf der sites-enabled/available steht das:

# ispCP ω (OMEGA) a Virtual Hosting Control System
# @copyright    2001-2006 by moleSoftware GmbH
# @copyright    2006-2008 by ispCP |
# @version        SVN: $ID$
# @link  
# @author        ispCP Team
# @license
#   This program is free software; you can redistribute it and/or modify it under
#   the terms of the MPL General Public License as published by the Free Software
#   Foundation; either version 1.1 of the License, or (at your option) any later
#   version.
#   You should have received a copy of the MPL Mozilla Public License along with
#   this program; if not, write to the Open Source Initiative (OSI)
# |
# Master Begin


    DocumentRoot    /var/www/ispcp/gui


    ErrorLog        /var/log/apache2/users/
    TransferLog     /var/log/apache2/users/

    CustomLog       /var/log/apache2/ traff
    CustomLog       /var/log/apache2/ combined

    Alias /errors   /var/www/ispcp/gui/errordocs/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    Alias /pma      /var/www/ispcp/gui/tools/pma/
    Alias /webmail  /var/www/ispcp/gui/tools/webmail/
    Alias /ftp      /var/www/ispcp/gui/tools/filemanager/
    Alias /antispam     /var/www/ispcp/gui/tools/antispam/

    <IfModule suexec_module>
           SuexecUserGroup vu2000 vu2000

    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all

    <IfModule mod_fastcgi.c>
        ScriptAlias /php4/ /var/www/fcgi/master/
        ScriptAlias /php5/ /var/www/fcgi/master/
        <Directory "/var/www/fcgi/master">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all

    <IfModule mod_php4.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/var/run/ispcp.lock:/proc/:/bin/df:/bin/mount:/var/log/rkhunter.log:/var/log/chkrootkit.log:/usr/share/php/"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
            php_admin_value upload_tmp_dir "/var/www/ispcp/gui/phptmp/"
    <IfModule mod_php5.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/var/run/ispcp.lock:/proc/:/bin/df:/bin/mount:/var/log/rkhunter.log:/var/log/chkrootkit.log:/usr/share/php/"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
            php_admin_value upload_tmp_dir "/var/www/ispcp/gui/phptmp/"


# Master End

sieht fuer mich eigentlich ok aus. das witzige ist ja das seit dem prob der apache unbedingt ein webverzeichnis fuer die domain '' haben will bzw. die als eigentliche domain angelegt sein muss. das war ja vorher auch nicht der fall.

ich wollte eigentlich updaten auf rc6. die frage ist nun also ob cih das fixen kann oder besser (mal wieder) ne neuinstallation durchfuehren sollte.

wie gesgat, hatte ich die domain lediglich fuer das ispcp verwendet, aber nie regulaer angelegt.
08-12-2008 02:50 AM
RE: hack versuch? kein zugang mehr zum ispcp
sieht ganz ok aus, was sagt die apache log dazu?

ps: "ServerName" fänd ich nich so toll fänd ich schöner XD
08-12-2008 02:56 AM
RE: hack versuch? kein zugang mehr zum ispcp
hm. die aktuelle log sieht so aus (sorry falls die fuers posten schon zu gross sein sollte):

[Sun Aug 10 13:07:08 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Sun Aug 10 13:07:08 2008] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Sun Aug 10 13:07:08 2008] [notice] FastCGI: process manager initialized (pid 3297)
[Sun Aug 10 13:07:08 2008] [warn] FastCGI: server "/var/www/fcgi/master/php5-fcgi-starter" (uid 2000, gid 2000) started (pid 3303)
[Sun Aug 10 13:07:08 2008] [notice] Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 configured -- resuming normal operations
[Sun Aug 10 13:07:17 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) started (pid 3361)
[Sun Aug 10 13:07:26 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2023, gid 2023) started (pid 3365)
[Sun Aug 10 13:09:01 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2022, gid 2022) started (pid 3441)
[Sun Aug 10 13:11:13 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2012, gid 2012) started (pid 3515)
[Sun Aug 10 13:13:33 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2014, gid 2014) started (pid 3521)
[Sun Aug 10 13:14:28 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2015, gid 2015) started (pid 3526)
[Sun Aug 10 13:24:35 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2009, gid 2009) started (pid 3575)
[Sun Aug 10 13:34:47 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2018, gid 2018) started (pid 3885)
[Sun Aug 10 14:32:18 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) started (pid 4659)
[Sun Aug 10 14:33:04 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 4659) termination signaled
[Sun Aug 10 14:33:04 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 4659) terminated by calling exit with status '0'
[Sun Aug 10 14:48:37 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2019, gid 2019) started (pid 4776)
[Sun Aug 10 16:50:29 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2004, gid 2004) started (pid 6403)
[Sun Aug 10 18:03:31 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 18:03:31 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 18:03:31 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 18:03:31 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 18:03:34 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 18:39:20 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2025, gid 2025) started (pid 7881)
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:01 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:04 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:07 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:07 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:07 2008] [error] [client] File does not exist: /htdocs
[Sun Aug 10 22:03:07 2008] [error] [client] File does not exist: /htdocs
[Mon Aug 11 03:05:43 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2001, gid 2001) started (pid 29793)
[Mon Aug 11 04:58:27 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) restarted (pid 31706)
[Mon Aug 11 04:58:32 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) started (pid 31712)
[Mon Aug 11 04:58:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31712) termination signaled
[Mon Aug 11 04:58:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31712) terminated by calling exit with status '0'
[Mon Aug 11 04:59:37 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) restarted (pid 31717)
[Mon Aug 11 04:59:42 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) started (pid 31720)
[Mon Aug 11 04:59:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31720) termination signaled
[Mon Aug 11 04:59:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31720) terminated by calling exit with status '0'
[Mon Aug 11 05:00:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31717) termination signaled
[Mon Aug 11 05:00:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31717) terminated by calling exit with status '0'
[Mon Aug 11 05:01:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31706) termination signaled
[Mon Aug 11 05:01:45 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 31706) terminated by calling exit with status '0'
[Mon Aug 11 06:25:48 2008] [notice] caught SIGTERM, shutting down
[Mon Aug 11 06:25:50 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Mon Aug 11 06:25:50 2008] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Mon Aug 11 06:25:50 2008] [notice] FastCGI: process manager initialized (pid 435)
[Mon Aug 11 06:25:50 2008] [warn] FastCGI: server "/var/www/fcgi/master/php5-fcgi-starter" (uid 2000, gid 2000) started (pid 436)
[Mon Aug 11 06:25:50 2008] [notice] Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 configured -- resuming normal operations
[Mon Aug 11 06:25:53 2008] [notice] caught SIGTERM, shutting down
[Mon Aug 11 06:25:57 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Mon Aug 11 06:25:57 2008] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Mon Aug 11 06:25:57 2008] [notice] FastCGI: process manager initialized (pid 642)
[Mon Aug 11 06:25:57 2008] [warn] FastCGI: server "/var/www/fcgi/master/php5-fcgi-starter" (uid 2000, gid 2000) started (pid 643)
[Mon Aug 11 06:25:57 2008] [notice] Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 configured -- resuming normal operations
[Mon Aug 11 06:27:14 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2023, gid 2023) started (pid 15602)
[Mon Aug 11 06:28:37 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2022, gid 2022) started (pid 15606)
[Mon Aug 11 06:43:28 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2014, gid 2014) started (pid 15865)
[Mon Aug 11 06:44:10 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2018, gid 2018) started (pid 15869)
[Mon Aug 11 06:52:54 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2002, gid 2002) started (pid 15890)
[Mon Aug 11 07:00:07 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2001, gid 2001) started (pid 16161)
[Mon Aug 11 07:00:20 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2009, gid 2009) started (pid 16164)
[Mon Aug 11 07:23:47 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2015, gid 2015) started (pid 16252)
[Mon Aug 11 07:25:39 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2012, gid 2012) started (pid 16261)
[Mon Aug 11 07:55:10 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 07:55:10 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 07:55:10 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 07:55:10 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 07:55:10 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 08:37:05 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2004, gid 2004) started (pid 17269)
[Mon Aug 11 09:05:59 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2025, gid 2025) started (pid 17623)
[Mon Aug 11 11:15:25 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2019, gid 2019) started (pid 19071)
[Mon Aug 11 13:52:05 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 13:52:05 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 13:52:05 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 13:52:05 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 13:52:05 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 14:18:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 14:18:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 14:18:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 14:18:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 14:18:20 2008] [error] [client] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Aug 11 18:53:40 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2018, gid 2018) started (pid 6032)
[Mon Aug 11 18:53:50 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 6032) termination signaled
[Mon Aug 11 18:53:50 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 6032) terminated by calling exit with status '0'
[Mon Aug 11 18:54:38 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (uid 2018, gid 2018) restarted (pid 6037)
[Mon Aug 11 18:54:51 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 6037) termination signaled
[Mon Aug 11 18:54:51 2008] [warn] FastCGI: (dynamic) server "/var/www/fcgi/" (pid 6037) terminated by calling exit with status '0'

dieser shit / taucht immer wieder auf.
warum das htdocs nicht existiert habe ich ja schon erklaert.

beim start meckert der apache rum:
Starting web server (apache2)...Warning: DocumentRoot [/var/www/virtual/] does not exist
ist ja klar, weil die dom ja nicht angelegt ist, sondern ich lediglich die file erstellt habe damit die domain swiedre laufen.

naja. das mit dem namen hatte ich so beim ersten install gemacht, als noch die anleitung speziell fuer hetzner recent war. hab das dann so beibehalten weil die domaininhaber die adresse in den favoriten haben. nicht elegant, aber so bekomm ich nicht staendig anfragen weil sich was geaendert hat. die lesen ja infos und newsletter meist nicht Wink
08-12-2008 03:25 AM
RE: hack versuch? kein zugang mehr zum ispcp
als erklärung für die unwissenden unter euch....
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
kann man als fingerabdruckscanner bezeichnen und ist schon als Hacker Tool identifyziert worden also vorsicht wenns zuviele anfragen werden...
oder auch nicht? bin ja nicht allwissend und meine glaskugel ist in der wäscherrei...

08-12-2008 03:53 AM
