PDA

View Full Version : Is my system hacked?

lano
25th December 2008, 17:07
Today I noticed following in my logs:

localhost||||391||||82.79.77.84 - - [25/Dec/2008:15:37:10 +0100] "GET HTTP/1.1 HTTP/1.1" 400 391 "-" "Toata dragostea mea pentru diavola"
localhost||||376||||82.79.77.84 - - [25/Dec/2008:15:37:11 +0100] "GET /bin/msgim port HTTP/1.1" 404 376 "-" "Toata dragostea mea pentru diavola"
localhost||||384||||82.79.77.84 - - [25/Dec/2008:15:37:11 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 384 "-" "Toata dragostea mea pentru diavola"
localhost||||386||||82.79.77.84 - - [25/Dec/2008:15:37:11 +0100] "GET /roundcube/bin/msgimport HTTP/1.1" 404 386 "-" "Toata dragostea mea pentru diavola"

Am I hacked, or some script kidies just try to hack me?

System is Etch with Ispconfig

Thanks
David
HooGLaNDeR
26th December 2008, 01:16
The 404 shows that the page was unknown and unsuccesfull.
falko
26th December 2008, 13:31
"Toata dragostea mea pentru diavola" seems to be a bot:
http://www.botsvsbrowsers.com/details/215753/index.html
http://johannburkard.de/blog/www/spam/effective-spam-bot-blocking.html
http://forums.debian.net/viewtopic.php?p=143651&sid=b1943f9e9d0ad5c7d5ec0f7a6c56b9da

I'd block those IP addresses and install fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch
http://www.howtoforge.com/fail2ban_opensuse10.3
http://www.howtoforge.com/preventing-brute-force-attacks-with-fail2ban-on-fedora9
http://www.howtoforge.com/preventing-brute-force-attacks-with-fail2ban-on-mandriva2008.1
HooGLaNDeR
26th December 2008, 15:43
Or maybe denyhosts if you dont use :iptables.

Cheers,

Merry Xmis and a blessed 2009:D
lano
27th December 2008, 16:00
What bothered me, was that "localhost" in log message.
I installed fail2ban, and we'll see..
Thanks to all for your help