fresh install http errors

C

computerlady911

Verified User
Joined
Mar 12, 2006
Messages
64
I just did a fresh install last week. I do not have any users or domains setup on this server yet.

I did install the ELS script. but that is all.
OS Centos 4.4.

I am getting hundreds of these messages in the httpd error_log:

Code: 
[Fri Feb 16 12:19:07 2007] [error] [client 69.242.1.59] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:13 2007] [error] [client 196.206.177.20] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:19 2007] [error] [client 24.154.208.190] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:19 2007] [error] [client 71.53.245.76] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:21 2007] [error] [client 190.42.61.211] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:25 2007] [error] [client 24.208.223.73] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:42 2007] [error] [client 62.234.119.121] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:45 2007] [error] [client 69.242.211.76] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:45 2007] [error] [client 74.114.118.159] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:19:59 2007] [error] [client 80.100.155.254] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:05 2007] [error] [client 209.12.5.114] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:11 2007] [error] [client 71.80.7.183] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:11 2007] [error] [client 66.32.8.115] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:17 2007] [error] [client 90.19.142.218] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:21 2007] [error] [client 84.196.38.237] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:23 2007] [error] [client 66.191.163.59] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:25 2007] [error] [client 74.12.106.72] File does not exist: /var/www/html/trustm3now
[Fri Feb 16 12:20:33 2007] [error] [client 12.109.107.196] File does not exist: /var/www/html/trustm3now

I have hundreds of these in myhttpd access_log:
Code: 
81.244.76.204 - - [16/Feb/2007:12:25:56 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.29.142.190 - - [16/Feb/2007:12:26:01 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
87.126.110.180 - - [16/Feb/2007:12:26:02 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
67.33.141.168 - - [16/Feb/2007:12:26:06 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.160.17.150 - - [16/Feb/2007:12:26:11 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
80.4.224.7 - - [16/Feb/2007:12:26:13 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.153.88.63 - - [16/Feb/2007:12:26:13 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
76.16.252.233 - - [16/Feb/2007:12:26:29 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
83.3.88.180 - - [16/Feb/2007:12:26:31 -0800] "POST /trustm3now/getpr0n.php HTTP/1.0" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
195.229.242.84 - - [16/Feb/2007:12:26:34 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
201.194.15.126 - - [16/Feb/2007:12:26:36 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.69.168.34 - - [16/Feb/2007:12:26:38 -0800] "POST /trustm3now/getpr0n.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

What does this mean????
 
Has someone hijacked the server while u were setting it up?

Having said that, the file / folder doesnt exist so I dont think its anything to worry about.

To be on the safe side, take a trip to here [if u havent or the script hasnt installed it already] and see what this says after updating it.

Regards
Nath.
 
That is what I am thinking. True that the file is not there, but so many attempts are making my ser very busy. I just stopped the HTTPD for now, since no sites are installed.

Where did you think I should take a trip to?:confused:
 
lol whooops - forgot to post the link there didnt i? lol

http://www.rootkit.nl/projects/rootkit_hunter.html

Try downloading that on the server using wget, unpacking it, and installing it - then running it with:

rkhunter --update
Click to expand...

and then try it out using something like:

rkhunter -c --createlogfile -sk
Click to expand...

[drop the -sk if u want a press any key style thing at certain stages :)]

regards :)
Nath
 
Also to be safe run a
Code: 
netstat -ap
and go through the items it produces to see if there might be anything odd listening for a connection on the computer.
 
restults:
Code: 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:submission                *:*                         LISTEN      2467/exim
tcp        0      0 *:747                       *:*                         LISTEN      2261/rpc.statd
tcp        0      0 *:2222                      *:*                         LISTEN      19429/directadmin
tcp        0      0 *:pop3                      *:*                         LISTEN      2519/vm-pop3d
tcp        0      0 *:imap                      *:*                         LISTEN      2437/xinetd
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2241/portmap
tcp        0      0 192.168.0.3:domain          *:*                         LISTEN      22382/named
tcp        0      0 ns1.control8.com:domain     *:*                         LISTEN      22382/named
tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      22382/named
tcp        0      0 *:ftp                       *:*                         LISTEN      2508/proftpd: (acce
tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      2391/cupsd
tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      22382/named
tcp        0      0 *:smtp                      *:*                         LISTEN      2467/exim
tcp        0      0 *:32022                     *:*                         LISTEN      9385/sshd
tcp        0      0 ::1:rndc                    *:*                         LISTEN      22382/named
tcp        0     52 ns1.control8.com:32022      adsl-71-140-238-241.d:60425 ESTABLISHED 15840/1
udp        0      0 192.168.0.3:domain          *:*                                     22382/named
udp        0      0 ns1.control8.com:domain     *:*                                     22382/named
udp        0      0 localhost.locald:domain     *:*                                     22382/named
udp        0      0 *:32982                     *:*                                     22382/named
udp        0      0 *:741                       *:*                                     2261/rpc.statd
udp        0      0 *:744                       *:*                                     2261/rpc.statd
udp        0      0 *:sunrpc                    *:*                                     2241/portmap
udp        0      0 *:ipp                       *:*                                     2391/cupsd
udp        0      0 *:32983                     *:*                                     22382/named
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     5463   2575/xfs            /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     7447   2863/gdm-binary     /tmp/.gdm_socket
unix  2      [ ACC ]     STREAM     LISTENING     7549   3499/X              /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     51162  9845/mysqld         /var/lib/mysql/mysql.sock
unix  2      [ ]         DGRAM                    5718   2634/hald           @/var/run/hal/hotplug_socket
unix  2      [ ACC ]     STREAM     LISTENING     5536   2613/dbus-daemon-1  /var/run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    2904   1329/udevd          @udevd
unix  8      [ ]         DGRAM                    4563   2214/syslogd        /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     5104   2478/gpm            /dev/gpmctl
unix  2      [ ]         DGRAM                    314850 26946/netstat
unix  2      [ ]         DGRAM                    105355 22382/named
unix  3      [ ]         STREAM     CONNECTED     20190  3499/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     20189  5660/gdmgreeter
unix  3      [ ]         STREAM     CONNECTED     20188  3499/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     20187  5660/gdmgreeter
unix  3      [ ]         STREAM     CONNECTED     20174  2575/xfs            /tmp/.font-unix/fs7100
unix  3      [ ]         STREAM     CONNECTED     20173  3499/X
unix  3      [ ]         STREAM     CONNECTED     20175  3499/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     20166  3472/gdm-binary
unix  3      [ ]         STREAM     CONNECTED     20175  3499/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     20166  3472/gdm-binary
unix  2      [ ]         STREAM     CONNECTED     7561   3472/gdm-binary
unix  3      [ ]         STREAM     CONNECTED     5717   2613/dbus-daemon-1  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     5716   2634/hald
unix  3      [ ]         STREAM     CONNECTED     5556   2613/dbus-daemon-1  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     5555   2623/cups-config-da
unix  3      [ ]         STREAM     CONNECTED     5539   2613/dbus-daemon-1
unix  3      [ ]         STREAM     CONNECTED     5538   2613/dbus-daemon-1
unix  2      [ ]         DGRAM                    5251   2542/crond
unix  2      [ ]         DGRAM                    5103   2478/gpm
unix  2      [ ]         DGRAM                    5018   2437/xinetd
unix  3      [ ]         STREAM     CONNECTED     4754   2291/rpc.idmapd
unix  3      [ ]         STREAM     CONNECTED     4753   2291/rpc.idmapd
unix  2      [ ]         DGRAM                    4633   2261/rpc.statd
unix  2      [ ]         DGRAM                    4571   2218/klogd
 
Last edited:
Everything looks fine to me, only thing I would say is to stop cupsd and disable it from starting up if you arent using the server to print things. It has had vulnerabilities and its best to avoid them if you dont need it. Same goes for the X11 programs, if you arent using the GUI then no point in letting them run.
 
All those logfile entries mean is that someone is looking for that content on your server. The IP# may have been previously used for something else.

Jeff
 
You must log in or register to reply here.
Back
Top