Author Topic: Problem urgent, Is posible that my server was haked?  (Read 7087 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
Problem urgent, Is posible that my server was haked?
« on: April 25, 2018, 07:20:42 PM »
I see few days ago this message in my error_log in my server CEP7

[Mon Apr 23 23:02:37.761117 2018] [:error] [pid 31779:tid 139639427909376] [client 185.104.120.3:6393] File does not exist: /home/centoneg/public_html/xmlrpc.php
[Tue Apr 24 01:11:22.342871 2018] [:error] [pid 31478:tid 139639606437632] [client 185.45.75.155:47162] File does not exist: /home/bmatica1/public_html/wp-cron.php, referer: http://www.bmatica.es/wp-cron.php?doing_wp_cron=1524525089.5313839912414550781250
[Tue Apr 24 02:09:59.259062 2018] [:error] [pid 31779:tid 139639486658304] [client 192.241.124.50:51564] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 02:18:50.926564 2018] [:error] [pid 31477:tid 139639469872896] [client 193.202.110.25:51814] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 02:22:46.144902 2018] [:error] [pid 31479:tid 139639352375040] [client 213.212.60.223:56782] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 02:46:05.003932 2018] [:error] [pid 31478:tid 139639469872896] [client 52.47.168.171:7443] [client 52.47.168.171] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(keep-alive|close),\\\\s?(keep-alive|close)\\\\b" at REQUEST_HEADERS:Connection. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "447"] [id "958295"] [rev "2"] [msg "Multiple/Conflicting Connection Header Data Found."] [data "close, close"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "www.bmatica.es"] [uri "/ads.txt"] [unique_id "Wt5@TVeAxW0yjzB@yJ74TQAAAEo"]
[Tue Apr 24 02:48:48.261987 2018] [:error] [pid 31479:tid 139639486658304] [client 97.79.238.60:46750] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 02:58:50.672094 2018] [:error] [pid 31478:tid 139639453087488] [client 193.202.110.25:52392] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 03:08:54.998040 2018] [:error] [pid 31479:tid 139639461480192] [client 103.6.198.72:45390] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 03:36:38.318468 2018] [:error] [pid 31478:tid 139639511836416] [client 54.36.150.109:28494] File does not exist: /home/bmatica1/public_html/index.php
[Tue Apr 24 05:09:19.543569 2018] [:error] [pid 31478:tid 139639453087488] [client 66.111.57.21:59761] [client 66.111.57.21] ModSecurity: Access denied with code 403 (phase 1). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "TRACE"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "www"] [uri "/"] [unique_id "Wt6f31eAxW0yjzB@yJ74dwAAAEw"]
[Tue Apr 24 06:05:18.774279 2018] [:error] [pid 31478:tid 139639511836416] [client 163.178.170.172:47634] [client 163.178.170.172] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\bhttp\\\\/(?:0\\\\.9|1\\\\.[01])|<(?:html|meta)\\\\b)" at ARGS:name[#markup]. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "136"] [id "950911"] [rev "2"] [msg "HTTP Response Splitting Attack"] [data "Matched Data: <meta found within ARGS:name[#markup]: echo \\x22<title>hacked by h0d3_g4n</title><meta content=\\x22hacked by h0d3_g4n\\x22 name=\\x22description\\x22><meta content=\\x22hacked by h0d3_g4n\\x22 name=\\x22keywords\\x22><meta name=\\x22robots\\x22 content=\\x22index, follow\\x22><meta content=\\x22h0d3_g4n\\x22 name=\\x22author\\x22/><center><h2><img src=\\x22https://images4.alphacoders.com/215/215134.jpg\\x22 <width=\\x22300\\x22 height=\\x22300\\x22></h2><h1>hacked by h0d3_g4n</h1><br><h3>greetz: all member elec..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [hostname "tramitel.net"] [uri "/"] [unique_id "Wt6s-leAxW0yjzB@yJ74rQAAAEU"]
[Tue Apr 24 07:15:06.522077 2018] [:error] [pid 31779:tid 139639411123968] [client 195.130.247.116:37600] File does not exist: /usr/local/apache/htdocs/xmlrpc.php
[Tue Apr 24 07:20:38.854469 2018] [mpm_event:notice] [pid 31465:tid 139639799248768] AH00493: SIGUSR1 received.  Doing graceful restart

What do you think has happened?
« Last Edit: April 25, 2018, 07:22:57 PM by Toni »

Offline
*
Re: Problem urgent, Is posible that my server was haked?
« Reply #1 on: April 26, 2018, 08:26:28 AM »
it can be that this website is hacked or that someone is trying to hack it, anyway, keep mod_security on, keep your site files/themes and scripts update and recommended would be to run FileSystemLock as this will prevent all hacks.

also you can check for this

http://wiki.centos-webpanel.com/track-spam-infected-scripts
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Problem urgent, Is posible that my server was haked?
« Reply #2 on: April 26, 2018, 06:51:49 PM »
Hi thanks for you reply.

How can i install and use the FileSystemLock in my server? i search information for about it but i don't find any

Can you help me about that