Results 1 to 7 of 7

Thread: Error logs

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    147

    Error logs

    I've just looked at my server error logs on 1and1 hosting and have found some odd looking pages:

    217.160.233.109/w00tw00t.at.ISC.SANS.DFind:)
    217.160.233.109/msadc/..À¯..À¯..À¯../winnt/system32/cmd.exe
    217.160.233.109/scripts/root.exe

    217.160.233.109/Ads/adxmlrpc.php
    217.160.233.109/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
    217.160.233.109/ads/adxmlrpc.php
    217.160.233.109/adserver/adxmlrpc.php
    217.160.233.109/blog/xmlrpc.php
    217.160.233.109/blog/xmlsrv/xmlrpc.php

    It's the first three that i find most odd, although I don't have any directories anywhere that would relate to the blog entries.

    Should I be worried about these?
    Mama always said, keep your virus definitions up to date.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    a quick google search on dfind....turned this up
    http://www.google.ca/search?hl=en&q=.dfind&meta=

    doesnt look good...it also does look like the server has been updated, or patched for a while as this is an old "utility" and should have been detected by an AV...

    as for the root.exe

    http://www.google.ca/search?hl=en&q=...G=Search&meta=

    either you put an unpatched server up...or its been owned for quite a while

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Senior Member
    Join Date
    May 2002
    Posts
    147
    yeah, I've just been looking on google. However, this is 1and1 hosting, not my own server. So I'm guessing I should contact them?

    Edit: thinking about it, seeing as these are in the error log, could it be that some kind of scanner is looking for these pages, but not finding them?
    Mama always said, keep your virus definitions up to date.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    ahhh...yep

    from this handy dandy page

    http://www.dnsstuff.com/tools/whois....17.160.233.109

    you have

    results for 217.160.233.109
    Generated by www.DNSstuff.com
    Location: United States [City: ]

    ARIN says that this IP belongs to RIPE; I'm looking it up there.


    Using 0 day old cached answer (or, you can get fresh results).
    Hiding E-mail address (you can get results with the E-mail address).

    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    %
    % Note: the default output of the RIPE Whois server
    % is changed. Your tools may need to be adjusted. See
    % http://www.ripe.net/db/news/abuse-pr...-20050331.html
    % for more details.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Information related to '217.160.224.0 - 217.160.239.255'

    inetnum: 217.160.224.0 - 217.160.239.255
    netname: SCHLUND-CUSTOMERS
    descr: Schlund + Partner AG
    country: US
    admin-c: UI-RIPE
    tech-c: UI-RIPE
    remarks: INFRA-AW
    remarks: in case of abuse or spam, please mailto: *****@schlund.de
    status: ASSIGNED PA
    mnt-by: SCHLUND-MNT
    notify: ********@schlund.net
    changed: ***@schlund.de 20031107
    source: RIPE

    role: Schlund NCC
    address: Schlund + Partner AG
    address: Brauerstrasse 48
    address: D-76135 Karlsruhe
    address: Germany
    remarks: For abuse issues, please use only *****@schlund.com
    remarks: For NOC issues, please look at our AS 8560
    phone: +49 721 91374 50
    fax-no: +49 721 91374 20
    e-mail: *****@schlund.com
    admin-c: SPNC-RIPE
    tech-c: SPNC-RIPE
    nic-hdl: UI-RIPE
    notify: *****@schlund.com
    mnt-by: SCHLUND-MNT
    changed: *****@schlund.com 20040512
    source: RIPE

    % Information related to '217.160.224.0/19AS8560'

    route: 217.160.224.0/19
    descr: SCHLUND-USA-1
    origin: AS8560
    notify: ********@schlund.net
    mnt-by: SCHLUND-MNT
    changed: ***@schlund.net 20050125
    source: RIPE


    [The following lines added by www.dnsstuff.com per requirement by RIPE]
    This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
    Contact dnsstuff.com's 'info2@' address to report problems regarding the functionality of the service
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I've just looked at my server error logs on 1and1 hosting and have found some odd looking pages:
    I am confused???

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Senior Member
    Join Date
    May 2002
    Posts
    147
    Sorry, I should probably have said my domain error logs.
    Mama always said, keep your virus definitions up to date.

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Don't let your web site being hit by worms alarm you; this happens to every web server, all the time- in fact often many times per day.

    These worms pick random IP addresses and/or hostnames to attack so you won't have been singled out in any way.

    If your system is not vulnerable to the vulnerability they're trying to exploit you have nothing to worry about.

    I find that most worms attack IP addresses not host names; therefore, we normally set up a dummy default host and have its access/error logs separate from our real hosts to avoid confusion.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •