Tracking down HTTP requests made from my server

[itsensellc]

An abuse ticket was opened against my server yesterday because someone complained about HTTP requests originating from my server:

----
75.125.179.34 - - [14/Jan/2009:16:39:02 +0000]"GET /blog/xmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:02 +0000]"GET /xmlsrv/xmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:01 +0000]"GET /xmlrpc/xmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:01 +0000]"GET /xmlrpc.php HTTP/1.0"
404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:01 +0000]"GET /ads/adxmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:01 +0000]"GET /Ads/adxmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:01 +0000]"GET /phpads/adxmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:00 +0000]"GET /phpadsnew/adxmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:00 +0000]"GET /phpAdsNew/adxmlrpc.php
HTTP/1.0" 404 25 "-"""
75.125.179.34 - - [14/Jan/2009:16:39:00 +0000]"GET /adserver/adxmlrpc.php
HTTP/1.0" 404 25 "-"""

75.125.179.34 - - [14/Jan/2009:17:51:18 +0000]"GET /blog/xmlrpc.php
HTTP/1.0" 404 25 "-"""
---

I know what this is, but the problem is I don't know where on my server it originated from or how to stop it. I'm hoping I can get some advice on where to look.

I just took Roundcube off today, (0.2 stable) because I know it was formerly being used to launch IRC bots. I'm not sure if that was the source, but I am going on the assumption it's possible but I need more information.

Any help would be much appreciated.

 

[floyd]

These are the logs that were sent to you from the victim?

You have to know the victim's domain or ip address.

 

[itsensellc]

These are the logs that were sent to you from the victim?

You have to know the victim's domain or ip address.

No this is from the victim's server logs. I do know both the destination domain and IP address. But I do not see how that benefits me. I've tried to search against the system with both pieces of info but nothing has really come up.

 

[floyd]

These are the logs that were sent to you from the victim?

No this is from the victim's server logs.

Then is IS the logs from the victim. The answer is not NO.

But I do not see how that benefits me.

And that is why you are here.

If you know the domain or ip address that was attacked then you can search your own logs for that because it might be in a query string of some sort.

 

[itsensellc]

Sorry you're right - that was a bit of a malformed reply on my part! My head is in 20 places right now.

That is exactly what I did - I searched my logs, user's scripts, etc. based on the IP and the hostname and I have not found traces of either. And depending on how or what they exploited I just never may. A needle in a haystack seems a lot more possible at this point

 

[itsensellc]

Good and bad news. I just found this running:

apache 6028 1.5 1.6 39704 17572 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.100.125 8443 pass
apache 6029 1.0 1.8 39704 18864 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.100.15 8443 pass
apache 6030 1.3 1.8 39704 19448 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.100.16 8443 pass
apache 6031 0.8 1.5 39700 16076 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.150 8443 pass
apache 6032 0.8 1.8 39704 18772 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.151 8443 pass
apache 6033 0.6 0.3 39588 3352 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.152 8443 pass
apache 6034 0.9 1.9 39700 19732 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.153 8443 pass
apache 6035 0.7 1.8 39708 19136 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.154 8443 pass
apache 6036 0.6 1.5 39704 16520 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.108.95 8443 pass
apache 6037 0.7 1.8 39700 19268 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.110.27 8443 pass
apache 6038 1.1 1.7 39700 18428 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.174.38 8443 pass
apache 6039 0.6 1.5 39592 16100 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.18.241 8443 pass
apache 6040 0.3 0.3 32024 3732 ? D 12:20 0:00 /usr/bin/perl ./plesk 91.192.188.110 8443 pass

 

[itsensellc]

I FOUND IT!! A user has a vulnerable script! Suspended the site.

 

[floyd]

See http://www.directadmin.com/forum/showthread.php?t=29318

 

[itsensellc]

BTW - you are the man!

 

[nobaloney]

BTW - you are the man!

And the rest of us are ... shrimp cocktail?



Jeff