bots or hackers ?

[Rubberman]

If it only happens occasionally, then it is likely someone has input the wrong IP address, or host.domain name in their browser or web-enabled application.

[Lakshmipathi]

Hi -
My stat shows only last 25 ipaddresses ...so it's difficult to detect the origin of attack..

here is few other strange access to my site

cgi-sys/India
/path/index.php
/ocp-103/index.php
/(null)
//polynews//
//modules/Forums/admin/admin_users.php
/suskun.htm
/phpmyadmin/index.php
phpmyadmin/z9v8index.php
/ccTiddly/index.php
//init.php
//CMD.TXT
/backend/fm-releases-global.xml
/cpanelf
/cpenal
/_vti_bin/owssvr.dll
/MSOffice/cltreq.asp

I don't have any php file or asp ..site is just a pure html site.

Does this suggest some one really tried to hack my site?

[Rubberman]

As suggested previously I4ever, this is probably the results of some sort of web crawler. Add the robots.txt entries to your system. It may not eliminate them, but it will reduce their occurances. In any case, I don't see anything that would be too suspicious in these attempted accesses. A web site is kind of like an open house in that anyone can go there, and they can look into any room that isn't locked. Sometimes when I am on a site and I am looking for something in particular, I will either try to access the directory it is in, or I will try to access the file I am looking for directly. This is not intended to try and hack their systems, but doubtless their logs show something very similar to what you are seeing.

[Freston]

I get these all the time, whether apache is running or not...

...my thought is that these are random (or rather systematic) scripted probes for known vulnerabilities. I think everyone gets them, and perhaps that non-assigned (empty or off-line) IP's also get them.

You are just one in a long list of IP's who get targeted, and I wouldn't worry to much about it.


Here's (part of) mine, without source IP's:

Code:

 - [03/May/2009:14:22:48 +0200] "GET /roundcube/index.php HTTP/1.1" 404 485
 - [03/May/2009:14:22:48 +0200] "GET /webmail/index.php HTTP/1.1" 404 485
 - [03/May/2009:14:22:48 +0200] "GET /index.php HTTP/1.1" 404 485
 - [03/May/2009:14:22:48 +0200] "GET /mail/index.php HTTP/1.1" 404 485
 - [08/May/2009:21:48:07 +0200] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:07 +0200] "GET /admin/phpMyAdmin/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:07 +0200] "GET /admin/sysadmin/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:07 +0200] "GET /admin/sqladmin/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:08 +0200] "GET /admin/db/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:08 +0200] "GET /admin/web/main.php HTTP/1.0" 404 485
 - [08/May/2009:21:48:08 +0200] "GET /admin/pMA/main.php HTTP/1.0" 404 485
 - [09/May/2009:08:13:06 +0200] "GET /wordtrans/index.html HTTP/1.1" 404 485
 - [09/May/2009:08:13:06 +0200] "GET /wordtrans/index.php HTTP/1.1" 404 485
 - [09/May/2009:09:44:47 +0200] "GET //README HTTP/1.1" 404 485
 - [09/May/2009:09:44:47 +0200] "GET /horde//README HTTP/1.1" 404 485
 - [09/May/2009:09:44:48 +0200] "GET /horde2//README HTTP/1.1" 404 485
 - [09/May/2009:09:44:48 +0200] "GET /horde3//README HTTP/1.1" 404 485
 - [09/May/2009:09:44:48 +0200] "GET /horde-3.0.9//README HTTP/1.1" 404 485
 - [09/May/2009:09:44:48 +0200] "GET /Horde//README HTTP/1.1" 404 485
 - [10/May/2009:02:23:04 +0200] "GET /README.txt HTTP/1.1" 404 485
 - [10/May/2009:02:23:04 +0200] "GET /moodle/README.txt HTTP/1.1" 404 485
 - [10/May/2009:10:50:03 +0200] "GET //user/templates/footer.tpl HTTP/1.1" 404 485
 - [11/May/2009:00:52:49 +0200] "GET //user/templates/footer.tpl HTTP/1.1" 404 485
 - [11/May/2009:02:46:29 +0200] "GET /appserv/main.php?appserv_root=http://217.73.17.133/pristupy/penati/usage_220801.html?& HTTP/1.1" 404 485
 - [11/May/2009:07:15:51 +0200] "GET /typo3conf/index.html HTTP/1.1" 404 485
 - [11/May/2009:07:19:16 +0200] "GET /appserv/main.php?appserv_root=http://217.73.17.133/pristupy/penati/usage_220801.html?& HTTP/1.1" 404 485
 - [11/May/2009:09:47:05 +0200] "GET //user/templates/footer.tpl HTTP/1.1" 404 485
 - [13/May/2009:19:19:42 +0200] "GET /user/soapCaller.bs HTTP/1.1" 404 485
 - [14/May/2009:15:05:22 +0200] "GET /wordtrans/index.html HTTP/1.1" 404 485
 - [14/May/2009:15:05:22 +0200] "GET /wordtrans/index.php HTTP/1.1" 404 485
 - [15/May/2009:11:11:06 +0200] "GET /wordtrans/index.html HTTP/1.1" 404 485
 - [15/May/2009:11:11:06 +0200] "GET /wordtrans/index.php HTTP/1.1" 404 485
 - [16/May/2009:18:19:03 +0200] "GET /user/soapCaller.bs HTTP/1.1" 404 485
 - [18/May/2009:10:12:30 +0200] "GET http://www.cavanmuseum.ie/images/Cursing-Stones.jpg HTTP/1.1" 404 485
 - [18/May/2009:10:27:04 +0200] "GET /user/soapCaller.bs HTTP/1.1" 404 485

As you see, all of them are 404, and have nothing to do with whatever it is I am running.

[Rubberman]

Hi -
My stat shows only last 25 ipaddresses ...so it's difficult to detect the origin of attack..

here is few other strange access to my site ...

I don't have any php file or asp ..site is just a pure html site.

Does this suggest some one really tried to hack my site?

It's possible. Do check your html for modifications that you haven't made. If someone did hack into your site, it could have added malicious code to your web pages. Ie, they might not be quite so "vanilla" any longer!

[Lakshmipathi]

I didn't verified my html codes,I'll check the html for any clues about this....

I got a clear feeling somebody tried to play with my site,entries like this

//modules/Forums/admin/admin_users.php
/phpmyadmin/index.php

clearly shows some one is tried to gain admin access or backend database

[Rubberman]

First they criticize you,Then they laugh at you,Then they fight with you,Then you win. - M.K.Gandhi

First they laugh at you, then they laugh some more, then they roll on the floor laughing, then they all die laughing. - The Three Stooges

[b2bwild]

Well, that doesnt implement today's date.

Its something more like this.

First they criticize you,Then they laugh at you, Then they fight with you, Then you turn GodMode on X_X