Aaaaaarrrrrrrrrrggggggggghhhhh Hacked Again!!!!!

[madaxe]

Hi

I have apache_2.0.55-win32-x86-no_ssl which is the latest version installed on my XP professional PC.

I am using a cisco router with only a few ports open enough to breath just.

have Norton and the XP firewall

With Apache I have used .htaccess file with IP adresses pulled from my error and access log and i placed the IP's in my httpd.conf file.

They still managed to trash my web server, somehow they are turning off my XP fire wall i noticed, can they actually do that? Also I traaced the IP addresses found one from a chinesse university and one from a online holiday booking company obviously they are either masking there IP's or using those servers to stage the attacks.

What can I do my web site is small just for friends and family please help noobie to hacking defece.....:&lt

below is a section from my error log showing you the stuff im seeing

Madaxe


[Mon Feb 13 05:15:54 2006] [notice] Apache/2.0.55 (Win32) configured -- resuming normal operations
[Mon Feb 13 05:15:54 2006] [notice] Server built: Oct 9 2005 19:16:56
[Mon Feb 13 05:15:54 2006] [notice] Parent: Created child process 2596
[Mon Feb 13 05:15:55 2006] [notice] Child 2596: Child process is running
[Mon Feb 13 05:15:56 2006] [notice] Child 2596: Acquired the start mutex.
[Mon Feb 13 05:15:56 2006] [notice] Child 2596: Starting 250 worker threads.
[Mon Feb 13 06:40:37 2006] [warn] [client 212.95.252.16] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 06:49:23 2006] [error] [client 136.1.1.33] File does not exist: C:/Documents and Settings/jack malone/My Documents/My Website/css, referer: http://www.mcjeeves.net/~jack%20malone/STAY%20BAR.html
[Mon Feb 13 06:49:28 2006] [warn] [client 136.1.1.33] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 06:52:10 2006] [error] [client 136.1.1.33] File does not exist: C:/Documents and Settings/F1/My Documents/My Website/interaction_home.html, referer: http://www.mcjeeves.net/~f1/CalendarPage.html
[Mon Feb 13 06:52:20 2006] [warn] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
[Mon Feb 13 08:13:27 2006] [warn] [client 69.14.65.191] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 12:25:20 2006] [warn] [client 69.14.65.191] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 13:10:20 2006] [warn] [client 69.14.65.191] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 14:58:24 2006] [warn] [client 69.14.65.191] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 15:28:51 2006] [warn] [client 69.14.65.191] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Mon Feb 13 16:36:13 2006] [error] [client 216.145.14.142] File does not exist: F:/yellowdogs/robots.txt, referer: http://www.whois.sc/
[Mon Feb 13 16:36:14 2006] [warn] [client 216.145.14.142] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed, referer: http://www.whois.sc/mcjeeves.net
[Mon Feb 13 17:13:13 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/awstats
[Mon Feb 13 17:13:15 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/cgi-bin
[Mon Feb 13 17:13:16 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/cgi-bin
[Mon Feb 13 17:13:19 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/blog
[Mon Feb 13 17:13:19 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/xmlrpc.php
[Mon Feb 13 17:13:21 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/blog
[Mon Feb 13 17:13:22 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/blogs
[Mon Feb 13 17:13:23 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/drupal
[Mon Feb 13 17:13:26 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/phpgroupware
[Mon Feb 13 17:13:26 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/wordpress
[Mon Feb 13 17:13:27 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/xmlrpc.php
[Mon Feb 13 17:13:30 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/xmlsrv
[Mon Feb 13 17:13:30 2006] [error] [client 218.104.211.118] File does not exist: F:/yellowdogs/xmlrpc

[Somefilename]

Check Google for some vulnerabilities that could affect your server. See the Solution section and update your server.

[SirDice]

You can have the latest apache, firewalls and what not.. But if the website itself is vulnerable...
Can't really tell what's happening from the log you posted..

[brokencrow]

You check for trojans, worms and viruses? I'd shake that thing down for any RATS first.

[morganlefay]

The title of this threas is "hacked again"

So the previous time you were hacked.....what did you do to resolve it???

Because something may have been left behind which is allowing access again to your "server"...

Best practice for a server that has been compromised is to backup data only format\reinstall\rebuild........and to confirm that the data you restore is malware free

This has many documents on securing your machine and detecting\recovering from an attack.

http://www.us-cert.gov/reading_room/

MLF

[whatthe]

Did you change your usernames and passwords after you were hacked last time? If not, you probably left your keys hanging in your front door.

[madaxe]

hi all

i ahve cleanned my machine and installed norton internet security this is keeping them at bay however they are now doing denial of service attacks on my router how do i stop this

Madaxe
alittle happier than last time

[morganlefay]

Send your router logs to your isp...They may be able to help??

Depends on your router what you can do on your end?

MLF