Hello,
i'm having some problems with phishing sites being uploaded to a few of my users websites.
Checked the logs abit and i noticed this:
It seems the hacker somehow wgets the files to the home directory.
Is this the scripts security fault? How do they do it and what to do to prevent it? It seems to be an old Joomla site (version from 2008) and as much as i tell the users to update their scripts there's always someone who doesnt.
I'm using the newest software from custombuild on Debian Lenny 5.x, suPHP, suEXEC and Apache 2.2.
I have disabled_functions:
apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,disk_free_space,diskfreespace,dl,exec,highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo,popen,proc_nice,shell_exec,show_source,symlink,system,escapeshellarg,escapeshellcmd,proc_close
What am i missing here?
i'm having some problems with phishing sites being uploaded to a few of my users websites.
Checked the logs abit and i noticed this:
Code:
129.25.29.158 - - [22/Sep/2010:00:10:14 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22426 "-" "Wget/1.11.4"
128.211.1.100 - - [22/Sep/2010:00:10:26 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:27 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 727 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:27 +0200] "HEAD /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 214 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:28 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:28 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-customer&nav=1 HTTP/1.0" 301 730 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:28 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-customer&nav=1 HTTP/1.0" 200 23338 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Wget/1.12 (linux-gnu)"
128.211.1.100 - - [22/Sep/2010:00:10:29 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/cgi-bin/webscr?cmd=_home-customer&nav=1 HTTP/1.0" 404 15928 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-customer&nav=1" "Wget/1.12 (linux-gnu)"
66.77.136.153 - - [22/Sep/2010:00:13:21 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
129.25.29.158 - - [22/Sep/2010:00:17:19 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22426 "-" "Wget/1.11.4"
66.135.207.155 - - [22/Sep/2010:00:39:42 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/5.0 (compatible; Google Desktop) Paros/3.2.12"
66.113.102.253 - - [22/Sep/2010:00:49:37 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; MSN Companion 2.0; 800x600; Compaq)"
66.135.207.155 - - [22/Sep/2010:00:59:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22405 "-" "Mozilla/4.08 [en] (WinNT; U)"
66.249.66.228 - - [22/Sep/2010:01:26:17 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.1" 301 728 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
128.130.60.21 - - [22/Sep/2010:01:48:25 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.135.207.155 - - [22/Sep/2010:01:49:49 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
66.113.102.253 - - [22/Sep/2010:01:50:05 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC; AtHome021)"
66.135.207.155 - - [22/Sep/2010:02:09:47 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.14.214.213 - - [22/Sep/2010:02:14:54 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 5883 "-" "Mozilla/9.876 (X11; U; Linux 2.2.12-20 i686, en) Gecko/25250101 Netscape/5.432b1"
84.14.214.210 - - [22/Sep/2010:02:19:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr HTTP/1.1" 301 639 "-" "lwp-request/2.07"
84.14.214.210 - - [22/Sep/2010:02:19:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.1" 200 296 "-" "lwp-request/2.07"
84.14.214.210 - - [22/Sep/2010:02:19:52 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin HTTP/1.1" 301 625 "-" "lwp-request/2.07"
84.14.214.210 - - [22/Sep/2010:02:19:52 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/ HTTP/1.1" 200 293 "-" "lwp-request/2.07"
149.20.54.135 - - [22/Sep/2010:02:23:21 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 15346 "-" "Mozilla/5.0 (compatible; en-US)"
149.20.54.135 - - [22/Sep/2010:02:23:22 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.135.207.155 - - [22/Sep/2010:02:29:49 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
149.20.54.135 - - [22/Sep/2010:02:48:36 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 15769 "-" "Mozilla/5.0 (compatible; en-US)"
149.20.54.135 - - [22/Sep/2010:02:48:37 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.113.102.253 - - [22/Sep/2010:02:50:33 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "JetBrains 3.1"
66.135.207.155 - - [22/Sep/2010:02:59:54 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
211.100.19.216 - - [22/Sep/2010:03:00:22 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Wget/1.9+cvs-stable (Red Hat modified)"
66.249.66.228 - - [22/Sep/2010:03:03:50 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-customer&nav=1 HTTP/1.1" 301 730 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.228 - - [22/Sep/2010:03:03:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-customer&nav=1 HTTP/1.1" 200 5933 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.77.136.123 - - [22/Sep/2010:03:05:04 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 257 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
66.77.136.153 - - [22/Sep/2010:03:05:05 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 728 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
66.77.136.123 - - [22/Sep/2010:03:05:05 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Opera/9.20 (Windows NT 6.0; U; en)"
130.117.93.225 - - [22/Sep/2010:03:08:37 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Wget/1.10.2 (Red Hat modified)"
128.232.110.18 - - [22/Sep/2010:03:09:03 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 5920 "-" "Mozilla/4.0 (compatible MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
220.97.254.103 - - [22/Sep/2010:03:09:48 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.1" 200 383 "http://brantect.com/ph/main.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
220.97.254.103 - - [22/Sep/2010:03:09:48 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.1" 301 728 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
220.97.254.103 - - [22/Sep/2010:03:09:49 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 5919 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10"
66.77.136.153 - - [22/Sep/2010:03:15:43 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
66.135.207.155 - - [22/Sep/2010:03:19:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22399 "-" "Mozilla/4.08 [en] (WinNT; U)"
149.20.54.135 - - [22/Sep/2010:03:24:13 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 15928 "-" "Mozilla/5.0 (compatible; en-US)"
149.20.54.135 - - [22/Sep/2010:03:24:13 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.135.207.155 - - [22/Sep/2010:03:39:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22413 "-" "Mozilla/4.08 [en] (WinNT; U)"
66.113.102.253 - - [22/Sep/2010:03:51:02 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows 95)"
24.13.65.205 - - [22/Sep/2010:03:55:53 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.1" 200 383 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
24.13.65.205 - - [22/Sep/2010:03:55:53 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.1" 301 728 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
24.13.65.205 - - [22/Sep/2010:03:55:53 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 5919 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
118.168.70.153 - - [22/Sep/2010:03:59:10 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.135.207.155 - - [22/Sep/2010:03:59:49 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
66.135.207.155 - - [22/Sep/2010:04:19:45 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.135.207.155 - - [22/Sep/2010:04:39:43 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.113.102.253 - - [22/Sep/2010:04:51:39 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/106.2 (KHTML, like Gecko) Safari/100.1"
66.135.207.155 - - [22/Sep/2010:04:59:53 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/4.8 [en] (Windows NT 6.0; U)"
66.135.207.155 - - [22/Sep/2010:05:19:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Mozilla/5.0 (compatible; Google Desktop) Paros/3.2.12"
66.135.207.155 - - [22/Sep/2010:05:39:44 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22437 "-" "Mozilla/5.0 (compatible; Google Desktop) Paros/3.2.12"
66.113.102.253 - - [22/Sep/2010:05:52:20 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3"
66.135.207.155 - - [22/Sep/2010:05:59:58 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
66.249.66.228 - - [22/Sep/2010:06:00:07 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/cgi-bin/webscr?cmd=_home-customer&nav=1 HTTP/1.1" 404 6088 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.77.136.153 - - [22/Sep/2010:06:03:27 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 257 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
66.77.136.153 - - [22/Sep/2010:06:03:27 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 728 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
66.77.136.153 - - [22/Sep/2010:06:03:27 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.8 [en] (Windows NT 6.0; U)"
66.77.136.153 - - [22/Sep/2010:06:05:45 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 241 "-" "Mozilla/4.08 [en] (WinNT; U)"
66.77.136.153 - - [22/Sep/2010:06:05:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 728 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us)"
66.77.136.153 - - [22/Sep/2010:06:05:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
216.244.65.108 - - [22/Sep/2010:06:09:42 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Python-urllib/2.6"
68.71.52.20 - - [22/Sep/2010:06:12:56 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Python-urllib/2.6"
66.77.136.153 - - [22/Sep/2010:06:18:26 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
66.135.207.155 - - [22/Sep/2010:06:19:50 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
66.249.66.228 - - [22/Sep/2010:06:29:50 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 5920 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.135.207.155 - - [22/Sep/2010:06:39:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22457 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
149.20.54.135 - - [22/Sep/2010:06:52:34 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 14550 "-" "Mozilla/5.0 (compatible; en-US)"
149.20.54.135 - - [22/Sep/2010:06:52:35 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.113.102.253 - - [22/Sep/2010:06:52:48 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows NT)"
66.135.207.155 - - [22/Sep/2010:07:00:03 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
66.135.207.155 - - [22/Sep/2010:07:19:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
209.17.173.103 - - [22/Sep/2010:07:23:58 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22456 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
66.135.207.155 - - [22/Sep/2010:07:39:50 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
195.214.79.22 - - [22/Sep/2010:07:52:07 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.113.102.253 - - [22/Sep/2010:07:52:59 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.1) Gecko/20060313 Fedora/1.5.0.1-9 Firefox/1.5.0.1 pango-text"
66.135.207.155 - - [22/Sep/2010:07:59:57 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2)"
66.135.207.155 - - [22/Sep/2010:08:19:54 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22414 "-" "Mozilla/4.8 [en] (Windows NT 6.0; U)"
66.135.207.155 - - [22/Sep/2010:08:39:48 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22422 "-" "Mozilla/5.0 (compatible; Google Desktop) Paros/3.2.12"
149.20.54.135 - - [22/Sep/2010:08:46:55 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 12973 "-" "Mozilla/5.0 (compatible; en-US)"
149.20.54.135 - - [22/Sep/2010:08:46:56 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/5.0 (compatible; en-US)"
66.113.102.253 - - [22/Sep/2010:08:53:30 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22389 "-" "Mozilla/6.0 (Macintosh; U; Amiga-AWeb) Safari 2.9"
66.135.207.155 - - [22/Sep/2010:08:59:57 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.77.136.153 - - [22/Sep/2010:09:03:45 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 257 "-" "Mozilla/2.0 (compatible; AOL 3.0; Mac_PowerPC)"
66.77.136.123 - - [22/Sep/2010:09:03:45 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 728 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
66.77.136.153 - - [22/Sep/2010:09:03:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.77.136.123 - - [22/Sep/2010:09:06:37 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 314 "-" "Mozilla/4.8 [en] (Windows NT 6.0; U)"
66.77.136.123 - - [22/Sep/2010:09:06:37 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 727 "-" "Mozilla/4.08 [en] (WinNT; U)"
66.77.136.153 - - [22/Sep/2010:09:06:38 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22426 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2)"
66.135.207.155 - - [22/Sep/2010:09:19:44 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22415 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061129"
66.77.136.153 - - [22/Sep/2010:09:21:43 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 22366 "-" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"
95.208.76.34 - - [22/Sep/2010:09:30:38 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 23163 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
95.208.76.34 - - [22/Sep/2010:09:30:38 +0200] "GET /Userfiles/83617 HTTP/1.1" 404 21179 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
95.208.76.34 - - [22/Sep/2010:09:30:38 +0200] "GET /Userfiles/83617C42 HTTP/1.1" 404 21182 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
66.135.207.155 - - [22/Sep/2010:09:39:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22840 "-" "Opera/9.20 (Windows NT 6.0; U; en)"
66.113.102.253 - - [22/Sep/2010:09:54:21 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22389 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
66.135.207.155 - - [22/Sep/2010:09:59:50 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 200 22421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
193.2.1.232 - - [22/Sep/2010:09:59:53 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 5920 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:08 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr HTTP/1.0" 301 676 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:08 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/ HTTP/1.0" 200 382 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:08 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:08 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 5919 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:13 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/ HTTP/1.0" 200 381 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:13 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 HTTP/1.0" 301 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:13 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 200 5919 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:16 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com HTTP/1.0" 301 646 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:17 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/ HTTP/1.0" 403 506 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.232 - - [22/Sep/2010:10:00:22 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/ HTTP/1.0" 403 499 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
66.135.207.155 - - [22/Sep/2010:10:19:51 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 404 617 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2)"
93.103.199.233 - - [22/Sep/2010:10:21:45 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 404 654 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62"
93.103.199.233 - - [22/Sep/2010:10:21:57 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 404 654 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62"
193.2.1.232 - - [22/Sep/2010:10:23:25 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 404 654 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WWTClient2)"
193.2.1.168 - - [22/Sep/2010:10:24:01 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general HTTP/1.0" 404 654 "-" "Wget/1.12 (linux-gnu)"
209.126.190.35 - - [22/Sep/2010:10:30:28 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 404 654 "-" "Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1"
209.126.132.179 - - [22/Sep/2010:10:30:29 +0200] "GET /favicon.ico HTTP/1.0" 404 596 "http://www.mitja.biz/Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0" "Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1"
216.113.168.139 - - [22/Sep/2010:10:30:36 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 404 654 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
66.135.207.155 - - [22/Sep/2010:10:39:46 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.1" 404 617 "-" "Mozilla/5.0 (compatible; Google Desktop) Paros/3.2.12"
66.77.136.153 - - [22/Sep/2010:10:39:47 +0200] "GET /Userfiles/83617C429A994E009BA0B6DFB9916156/paypal.com/cgi-bin/webscr/?cmd=_home-general&nav=0 HTTP/1.0" 404 654 "-" "Mozilla/3.0 [en] (compatible; Win98; U)"
It seems the hacker somehow wgets the files to the home directory.
Is this the scripts security fault? How do they do it and what to do to prevent it? It seems to be an old Joomla site (version from 2008) and as much as i tell the users to update their scripts there's always someone who doesnt.
I'm using the newest software from custombuild on Debian Lenny 5.x, suPHP, suEXEC and Apache 2.2.
I have disabled_functions:
apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,disk_free_space,diskfreespace,dl,exec,highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo,popen,proc_nice,shell_exec,show_source,symlink,system,escapeshellarg,escapeshellcmd,proc_close
What am i missing here?