PDA

View Full Version : Hacking website



bclancey
07-20-2004, 08:27 AM
I found the following entries in my Apache weblogs:

218.47.93.60 - - [20/Jul/2004:11:08:20 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
218.47.93.60 - - [20/Jul/2004:11:08:30 -0400] "POST /stat/news/2003/2/34826.phtml HTTP/1.0" 401 5402 "http://www.statpub.com/stat/news/2003/2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

These look to me like attempts to hack the website because "POST" is not the normal way to access articles and there is no index page at the location sought by the individual.

I am also troubled by the "401 5402" which suggests they succeeded in getting a page with 5402 bytes. The actual page "34826.phtml" is not this specific size when transmitted.

Has anyone seen this? Is there a way to figures out if this resulted in an intrusion?

thuskey
07-20-2004, 09:39 AM
Your probably right, someone is trying to get at data on your server without following the links that you provided.

The good news is, an error 401 means they didn't know the proper username and password and the 5402 bytes that was served to them proves that your custom 401.shtml file is working just fine.

a-arse
07-26-2004, 06:20 AM
Are you sure they just didn't mess up ?
I visited the 'Referrer' site and you are prompted for a username and password.
Possibly this command could be reproduced when entering no username or password ?

Whatever it is, i wouldn't be too worried.

bclancey
07-26-2004, 06:41 AM
I was thrown off by the fact it was an attempt to POST data to an article. The IP address of the incoming connection only had a couple of entries and the individual moved on. I dumbly missed the HTTP error code before making my original post.
I do not think it was an accident. It looks like it was just part of the general, ongoing effort people make to hack into websites.
Whenever, I see these kinds of log entries it attracts my attention. I want to be certain there is not a subtle security problem with HTTP and other aspects of my company's website, which I have overlooked.