PDA

View Full Version : Have I been hacked? should I be worried?




northernbaldy
Jun 9, 2010, 02:34 PM
I have just been looking at the access logs for my web server and found this


221.192.199.35 - - [09/Jun/2010:09:34:23 +0100] "GET http://www.wantsfly.com/prx2.php?hash=0DD74D710FE7F8BE5D61A85C00502998EB2C06E3A7E4 HTTP/1.0" 404 1035
221.192.199.35 - - [09/Jun/2010:13:11:45 +0100] "GET http://www.wantsfly.com/prx2.php?hash=0DD74D710FE7F8BE5D61A85C00502998EB2C06E3A7E4 HTTP/1.0" 404 1035
221.192.199.35 - - [09/Jun/2010:17:21:49 +0100] "GET http://www.wantsfly.com/prx2.php?hash=0DD74D710FE7F8BE5D61A85C00502998EB2C06E3A7E4 HTTP/1.0" 404 1035
221.192.199.35 - - [09/Jun/2010:17:52:59 +0100] "GET http://www.wantsfly.com/prx2.php?hash=0DD74D710FE7F8BE5D61A85C00502998EB2C06E3A7E4 HTTP/1.0" 404 1035
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET / HTTP/1.1" 200 5094
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_static.css HTTP/1.1" 200 176
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_static/iphone.css HTTP/1.1" 200 1010
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/javascript/compressed_libraries.js HTTP/1.1" 200 34682
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_compressed.css HTTP/1.1" 200 4696
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_static/overrides.css HTTP/1.1" 200 1187
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/required_compressed.css HTTP/1.1" 200 19562
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/javascript/serverhome.js HTTP/1.1" 200 913
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/required/img/spinner.gif HTTP/1.1" 200 3554
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_static/img/footer-bg.png HTTP/1.1" 200 3254
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/javascript/compressed_widgets.js HTTP/1.1" 200 23394
93.97.168.92 - - [09/Jun/2010:20:18:07 +0100] "GET /collaboration/css/serverhome_static/img/banner-bg.png HTTP/1.1" 200 291106
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /favicon.ico HTTP/1.1" 200 7782
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/webmail/ HTTP/1.1" 200 247
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/groups/ HTTP/1.1" 200 247
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/updates/ HTTP/1.1" 200 247
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/users/ HTTP/1.1" 200 247
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/emailrules/ HTTP/1.1" 404 1171
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/changepassword/ HTTP/1.1" 404 1171
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/webcal/ HTTP/1.1" 200 247
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration-availability/podcastcapture/ HTTP/1.1" 503 1043
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration/css/serverhome_static/img/more-bg.png HTTP/1.1" 200 2819
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration/css/serverhome_static/img/service-bg.png HTTP/1.1" 200 57374
93.97.168.92 - - [09/Jun/2010:20:18:08 +0100] "GET /collaboration/css/serverhome_static/img/service-icons.png HTTP/1.1" 200 104370

I don't like the look of it! has someone got in?



belvdr
Jun 9, 2010, 02:44 PM
It looks like a bunch of GET requests, so I'm seeing no reason for worry. What don't you like about this traffic?

northernbaldy
Jun 9, 2010, 02:48 PM
I understand the 93.97.168.35 items now, not a problem
it was just the wantsfly.com stuff I was curious about (I'm new and inexperienced)

it would seem that all of the entries returned a 404 page, but there are loads of entries from wantsfly.com

belvdr
Jun 9, 2010, 02:52 PM
Since it's a 404, there's no worries. From googling, it appears folks try to use the proxy module available in Apache to find an open proxy.

northernbaldy
Jun 9, 2010, 03:03 PM
not sure what I have done now, but I can't log on to the fecking thing

bugger :(

northernbaldy
Jun 9, 2010, 03:17 PM
fixed it, thank god for server tools! I managed to run server tools from my laptop and fix it!
seems I had disabled my administrator login

bloody computers :p