HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Being Spammed/Hacked/Probed not sure PLEASE HELP! (http://www.howtoforge.com/forums/showthread.php?t=49670)

kresser 26th October 2010 20:52

Being Spammed/Hacked/Probed not sure PLEASE HELP!
 
I am really concerned as I have quite a few clients on an ISP config server and honestly I'm a little fresh when it comes to dealing with Internet vandals, maintenance and building I'm fine but I'm not real keen on how to protect. I've built several ISP config servers and this is the first time I've been getting attacked, so I think. Fail2ban has been repeatedly blocking IP addresses with the word SSH next to the IP address which I'm assuming means I've had repeated failed SSH login attempts.

I have been taking all of those IP addresses that show up and creating an individual firewall rule to reject communication. I have looked at some of my individual site records and found where what looks like someone has been probing for my PHPmyadmin management pages,as well as other Internet configuration and management pages.

I am also seeing tons of communication from spamming sites in foreign countries such as Germany, Russia, Belgium, and many many more.

Here recently many of my users across all of my virtual domains have been experiencing " 500 error, internal server error" mostly through my e-mail client roundcube, I run that as well as squirrel mail, PHPmyadmin and all the basic tools used in the Debian Lenny "the perfect server how to".

I really need some assistance in figuring out a proactive way to stop communication with the sites, may be blacklisting the domains and the proper way to restrict these addresses. I have found where to blacklist e-mail accounts, however I don't see such a tool to block domains.

It would be cool if someone could share with me how to implement a script where after a certain number of repeated communication attempts through different channels such as SSH or unauthorized SSL or username probing that that particular client would be blocked permanently from communication.

I am including some of the log files so maybe someone can help me make sense of this. The IP addresses included in the logs are not any of my personal addresses for this platform.

The Main reason I need help others than the clarification on the log files and what to do is what's going on with the internal server error 500. I need to get rid of that where my clients stop having problems. here are the log files and where they came from.

"mail warn-log"
Quote:

Sep 25 06:52:33 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:34 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:34 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:35 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:35 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:36 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:36 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:38 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:38 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:39 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:39 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:40 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:40 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:41 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:41 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:42 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:42 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:46 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:46 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 09:45:00 messiah postfix/smtpd[5567]: warning: 64.206.180.28: address not listed for hostname COLLEGEROADTRIP.NET
Sep 26 10:01:29 messiah postfix/smtpd[22470]: warning: 64.206.180.32: address not listed for hostname EDUCATIONDECATHLON.NET
Sep 26 13:56:00 messiah postfix/master[32730]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Sep 26 19:05:01 messiah postfix/master[32730]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Sep 29 13:36:29 messiah postfix/smtpd[32035]: warning: TLS library problem: 32035:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1053:SSL alert number 48:
Sep 30 20:45:37 messiah postfix/smtpd[22042]: warning: 74.82.216.23: hostname mx1.COMPSENSELIVE.COM verification failed: Name or service not known
Oct 1 09:49:22 messiah pop3d: Maximum connection limit reached for ::ffff:78.188.11.52
Oct 1 09:49:22 messiah pop3d: Maximum connection limit reached for ::ffff:78.188.11.52
Oct 4 05:38:44 messiah pop3d: Maximum connection limit reached for ::ffff:173.10.255.154
Oct 4 05:38:45 messiah last message repeated 11 times
Oct 4 22:22:00 messiah postfix/smtpd[3527]: warning: rrcs-67-78-121-115.sw.biz.rr.com[67.78.121.115]: SASL LOGIN authentication failed: authentication failure
Oct 5 03:42:53 messiah postfix/smtpd[26033]: warning: rrcs-67-78-121-115.sw.biz.rr.com[67.78.121.115]: SASL LOGIN authentication failed: authentication failure
Oct 8 10:02:34 messiah postfix/smtpd[3441]: warning: 208.67.183.45: hostname host.gravitydeal.com verification failed: Name or service not known
Oct 12 05:38:12 messiah postfix/smtpd[2015]: warning: 69.175.64.132: address not listed for hostname srv1.clickregionalsadv.com
Oct 12 05:38:12 messiah postfix/smtpd[2015]: warning: 69.175.64.132: address not listed for hostname srv1.clickregionalsadv.com
Oct 20 09:53:33 messiah postfix/smtpd[30042]: warning: 24.106.95.18: hostname strongmail.schaeffer.com verification failed: Name or service not known
Oct 21 19:46:36 messiah postfix/smtpd[25989]: warning: 207.126.80.124: address not listed for hostname jersey.educateuniversity.com
Oct 21 21:30:11 messiah postfix/smtpd[1635]: warning: 173.232.50.71: address not listed for hostname dominicanrepublic.dealsposts.com
Oct 22 06:46:37 messiah postfix/smtpd[10124]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 22 06:46:43 messiah last message repeated 3 times
Oct 22 12:01:59 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 22 13:15:40 messiah postfix/smtpd[22296]: warning: 173.232.50.35: address not listed for hostname bouvetisland.dealsposts.com
Oct 22 14:00:18 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 22 14:05:45 messiah postfix/smtpd[19780]: warning: 207.126.80.23: address not listed for hostname bangladesh.educateuniversity.com
Oct 22 14:17:45 messiah postfix/smtpd[25634]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 22 14:17:57 messiah last message repeated 7 times
Oct 22 18:31:50 messiah postfix/smtpd[15632]: warning: 207.126.80.35: address not listed for hostname bouvetisland.educateuniversity.com
Oct 22 20:02:25 messiah amavis[19565]: (19565-08) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 25624. at /usr/sbin/amavisd-new line 2892, line 25624.
Oct 22 20:02:25 messiah amavis[19565]: (19565-08) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20101022T182026-19565
Oct 23 05:04:01 messiah postfix/smtpd[13948]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 23 05:04:15 messiah last message repeated 8 times
Oct 23 05:08:02 messiah postfix/smtpd[24301]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 23 05:08:14 messiah last message repeated 8 times
Oct 23 07:30:30 messiah postfix/smtpd[22020]: warning: 207.126.80.150: address not listed for hostname marshallislands.educateuniversity.com
Oct 23 08:05:00 messiah amavis[25958]: (25958-09) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 1570. at /usr/sbin/amavisd-new line 2892, line 1570.
Oct 23 08:05:00 messiah amavis[25958]: (25958-09) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20101023T041452-25958
Oct 23 10:21:37 messiah postfix/smtpd[1505]: warning: 173.232.75.170: address not listed for hostname newzealand.degreeroots.com
Oct 23 10:49:39 messiah postfix/smtpd[15946]: warning: 207.126.76.182: address not listed for hostname papuanewguinea.degreenewsletter.com
Oct 23 11:06:08 messiah postfix/smtpd[23773]: warning: 184.82.91.221: address not listed for hostname svalbard.educateaccess.com
Oct 23 11:19:42 messiah postfix/smtpd[28567]: warning: 67.143.173.11: hostname host671430011173.direcway.com verification failed: Name or service not known
Oct 23 12:11:08 messiah postfix/smtpd[5140]: warning: 207.126.83.134: address not listed for hostname latvia.guidegetup.com
Oct 23 14:00:13 messiah postfix/smtpd[28219]: warning: 207.126.80.217: address not listed for hostname spratlyislands.educateuniversity.com
Oct 23 14:21:50 messiah postfix/smtpd[3401]: warning: 207.126.68.39: address not listed for hostname brunei.chimiesecondspeedup.com
Oct 23 14:34:57 messiah postfix/smtpd[3853]: warning: 207.126.81.144: address not listed for hostname madagascar.fondpauseutilities.com
Oct 23 14:55:37 messiah postfix/smtpd[28134]: warning: 209.135.0.17: address not listed for hostname ashmoreandcartierislands.investforfamily.com
Oct 23 15:45:50 messiah postfix/smtpd[26511]: warning: 173.232.50.132: address not listed for hostname kyrgyzstan.dealsposts.com
Oct 23 16:10:20 messiah postfix/smtpd[19865]: warning: 184.82.90.236: address not listed for hostname tunisia.deliveryschool.com
Oct 23 18:03:05 messiah postfix/smtpd[17899]: warning: 173.232.75.243: address not listed for hostname unitedarabemirates.degreeroots.com
Oct 23 18:49:25 messiah postfix/smtpd[5796]: warning: 173.232.49.186: address not listed for hostname philippines.componentnetworks.com
Oct 23 22:02:53 messiah postfix/smtpd[13450]: warning: 184.82.91.8: address not listed for hostname angola.educateaccess.com
Oct 24 09:00:35 messiah postfix/smtpd[30152]: warning: 173.232.49.249: address not listed for hostname vietnam.componentnetworks.com
Oct 24 09:20:36 messiah postfix/smtpd[11301]: warning: 207.126.80.28: address not listed for hostname belize.educateuniversity.com
Oct 24 10:24:04 messiah postfix/smtpd[17844]: warning: 173.232.50.69: address not listed for hostname djibouti.dealsposts.com
Oct 24 10:50:17 messiah postfix/smtpd[22406]: warning: 173.232.75.102: address not listed for hostname guernsey.degreeroots.com
Oct 24 11:12:36 messiah postfix/smtpd[9640]: warning: 64.191.42.21: address not listed for hostname bahamas.cashforschooling.com
Oct 24 11:35:24 messiah postfix/smtpd[19688]: warning: 209.135.0.208: address not listed for hostname sierraleone.investforfamily.com
Oct 24 11:37:30 messiah postfix/smtpd[30032]: warning: 184.82.91.182: address not listed for hostname papuanewguinea.educateaccess.com
Oct 24 12:16:52 messiah postfix/smtpd[5412]: warning: 207.126.78.116: address not listed for hostname iraq.easyprofessionals.com
Oct 24 14:05:56 messiah postfix/smtpd[24313]: warning: 207.126.83.71: address not listed for hostname dominicanrepublic.guidegetup.com
Oct 24 16:35:51 messiah postfix/smtpd[6070]: warning: 173.232.75.99: address not listed for hostname guadeloupe.degreeroots.com
Oct 24 20:32:37 messiah postfix/smtpd[1401]: warning: non-SMTP command from 118-167-11-217.dynamic.hinet.net[118.167.11.217]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
Oct 24 20:32:37 messiah postfix/smtpd[1404]: warning: non-SMTP command from 118-167-11-217.dynamic.hinet.net[118.167.11.217]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
Oct 25 09:31:23 messiah postfix/smtpd[16071]: warning: 207.126.80.64: address not listed for hostname cuba.educateuniversity.com
Oct 25 10:54:40 messiah postfix/smtpd[12187]: warning: 209.135.0.121: address not listed for hostname jamaica.investforfamily.com
Oct 25 10:59:45 messiah postfix/smtpd[26266]: warning: 207.126.76.110: address not listed for hostname hongkong.degreenewsletter.com
Oct 25 11:35:38 messiah postfix/smtpd[1675]: warning: 173.232.49.95: address not listed for hostname gloriosoislands.componentnetworks.com
Oct 25 11:53:24 messiah postfix/smtpd[22294]: warning: 173.232.50.227: address not listed for hostname tajikistan.dealsposts.com
Oct 25 12:05:24 messiah postfix/smtpd[10222]: warning: 207.126.83.152: address not listed for hostname mauritania.guidegetup.com
Oct 25 12:11:53 messiah postfix/smtpd[30690]: warning: 173.232.75.64: address not listed for hostname cuba.degreeroots.com
Oct 25 14:00:22 messiah postfix/smtpd[30404]: warning: 207.126.81.158: address not listed for hostname monaco.fondpauseutilities.com
Oct 25 16:39:43 messiah postfix/smtpd[28501]: warning: 173.232.75.95: address not listed for hostname gloriosoislands.degreeroots.com
Oct 25 19:00:08 messiah postfix/local[7758]: warning: fork: Cannot allocate memory
Oct 25 19:00:08 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 25 22:17:44 messiah postfix/smtpd[30399]: warning: 64.191.42.27: address not listed for hostname belgium.cashforschooling.com
Oct 26 08:03:02 messiah amavis[30266]: (30266-13) (!)rw_loop: leaving rw loop, no progress
Oct 26 08:03:02 messiah amavis[30266]: (30266-13) (!)FWD via SMTP: -> , 451 4.5.0 From MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 84) line 555, line 6628.): id=30266-13
Oct 26 08:03:08 messiah amavis[30266]: (30266-13) (!)rw_loop: leaving rw loop, no progress
Oct 26 09:52:25 messiah postfix/smtpd[11301]: warning: 207.126.76.66: address not listed for hostname czechrepublic.degreenewsletter.com
Oct 26 10:03:57 messiah postfix/smtpd[29737]: warning: 173.232.49.59: address not listed for hostname cookislands.componentnetworks.com
Oct 26 10:10:17 messiah postfix/smtpd[15751]: warning: 173.232.75.36: address not listed for hostname brazil.degreeroots.com
Oct 26 11:05:56 messiah postfix/smtpd[27926]: warning: 209.135.0.188: address not listed for hostname poland.investforfamily.com
"fail2ban" - There is close to 100 of these over the last week
Quote:

2010-10-24 04:14:42,808 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-10-24 04:14:42,809 fail2ban.jail : INFO Creating new jail 'ssh'
2010-10-24 04:14:42,809 fail2ban.jail : INFO Jail 'ssh' uses poller
2010-10-24 04:14:42,810 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2010-10-24 04:14:42,810 fail2ban.filter : INFO Set maxRetry = 6
2010-10-24 04:14:42,811 fail2ban.filter : INFO Set findtime = 600
2010-10-24 04:14:42,812 fail2ban.actions: INFO Set banTime = 600
2010-10-24 04:14:42,872 fail2ban.jail : INFO Jail 'ssh' started
2010-10-24 04:14:44,895 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 04:24:44,902 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 06:46:58,005 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 06:56:58,888 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 08:16:59,866 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 08:27:00,460 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 11:33:00,403 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-24 11:43:00,494 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-24 19:00:49,672 fail2ban.actions: WARNING [ssh] Ban 219.153.49.151
2010-10-24 19:00:53,737 fail2ban.actions: WARNING [ssh] 219.153.49.151 already banned
2010-10-24 19:10:49,747 fail2ban.actions: WARNING [ssh] Unban 219.153.49.151
2010-10-25 00:26:05,525 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-25 00:36:05,853 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-25 03:04:20,733 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-25 03:14:20,738 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-25 04:14:49,543 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2010-10-25 15:46:16,913 fail2ban.actions: WARNING [ssh] Ban 222.73.163.21
2010-10-25 15:56:17,762 fail2ban.actions: WARNING [ssh] Unban 222.73.163.21
2010-10-26 12:15:28,444 fail2ban.actions: WARNING [ssh] Ban 61.135.88.47
2010-10-26 12:15:41,584 fail2ban.actions: WARNING [ssh] 61.135.88.47 already banned
2010-10-26 12:15:42,584 fail2ban.actions: WARNING [ssh] 61.135.88.47 already banned
2010-10-26 12:25:28,588 fail2ban.actions: WARNING [ssh] Unban 61.135.88.47
2010-10-26 12:44:26,603 fail2ban.actions: WARNING [ssh] Ban 180.70.116.110
2010-10-26 12:54:26,610 fail2ban.actions: WARNING [ssh] Unban 180.70.116.110
Site error log - note the config page errors, I never tried to get into management pages through this domain and as a matter of fact their blocked, is someone probing??
Quote:

19 16:26:04 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:27:55 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:28:00 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:28:12 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts, referer: 173.212.254.49
[Sun Sep 19 17:58:50 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 19:48:19
More for the same site, I used net tools to check the ip's and they are coming from Germany and Russia mostly, whats going on??


Quote:

/var/www/3ezbids.com/web/favicon.ico
[Thu Sep 23 06:44:14 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/w00tw00t.at.blackhats.romanian.anti-sec:)
[Thu Sep 23 06:44:15 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/scripts
[Thu Sep 23 06:44:15 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:16 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:16 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/db
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/dbadmin
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/myadmin
[Thu Sep 23 06:44:18 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysql
[Thu Sep 23 06:44:18 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqladmin
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/typo3
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpadmin
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Thu Sep 23 06:44:20 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Thu Sep 23 06:44:20 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin1
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin2
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/pma
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/web
[Thu Sep 23 06:44:22 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/xampp
[Thu Sep 23 06:44:22 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/web
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-my-admin
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/websql
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Thu Sep 23 06:44:24 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Thu Sep 23 06:44:24 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-my-admin
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.2.3
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.2.6
[Thu Sep 23 06:44:26 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.1
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.4
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-rc1
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-rc2
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5
[Thu Sep 23 06:44:28 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-pl1
[Thu Sep 23 06:44:28 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6-rc1
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6-rc2
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.7
[Thu Sep 23 06:44:30 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.7-pl1
[Thu Sep 23 06:44:30 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-alpha
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-alpha2
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-beta1
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-beta2
[Thu Sep 23 06:44:32 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc1
[Thu Sep 23 06:44:32 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc2
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc3
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl1
[Thu Sep 23 06:44:34 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl2
[Thu Sep 23 06:44:34 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl3
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-rc1
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-rc2
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1
[Thu Sep 23 06:44:36 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl1
[Thu Sep 23 06:44:36 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl2
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl3
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-rc1
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-beta1
[Thu Sep 23 06:44:38 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-rc1
[Thu Sep 23 06:44:38 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-pl1
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3-rc1
[Thu Sep 23 06:44:40 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3
[Thu Sep 23 06:44:40 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3-pl1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-rc1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl2
[Thu Sep 23 06:44:42 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl3
[Thu Sep 23 06:44:42 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl4
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-beta1
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-rc1
[Thu Sep 23 06:44:44 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-pl1
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-pl2
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-beta1
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-rc1
[Thu Sep 23 06:44:46 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-rc2
[Thu Sep 23 06:44:46 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.1
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.2
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.3
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.4
[Thu Sep 23 06:44:48 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.1-rc1
[Thu Sep 23 06:44:48 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.1
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.2
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/sqlmanager
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqlmanager
[Thu Sep 23 06:44:50 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/p
[Thu Sep 23 06:44:50 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/PMA2005
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/pma2005
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmanager
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-myadmin
[Thu Sep 23 06:44:52 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmy-admin
[Thu Sep 23 06:44:52 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/webadmin
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/sqlweb
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/websql
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/webdb
[Thu Sep 23 06:44:54 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqladmin
[Thu Sep 23 06:44:54 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysql-admin
[Thu Sep 23 08:26:56 2010] [error] [client 99.198.52.181] File does not exist:
Please help explain this and what to do, its happening all over my server and my clients that run businesses on this are having the 500 errors, for give me for being ignorant but you have to learn somehow right?

kresser 26th October 2010 20:59

Proxy Servers...
 
I can see some of these people are using non-logging/private proxy servers and thats an indicator to me that they are up to no good......advice???

mini14 26th October 2010 21:17

You can permanently block the offending IP numbers and even the class C that they are part of if you want to. Edit the file "pre-chain-split.sh" that's located in /etc/Bastille/firewall.d

Add lines like this to it...

iptables -A INPUT -s xx.xxx.xx.0/24 -j DROP
(blocks the class C)
iptables -A INPUT -s xx.xxx.xx.x -j DROP
(blocks the individual IP)

Then restart Bastille with /etc/init.d/bastille-firewall restart

kresser 28th October 2010 19:00

Thank you but I still need a bunch of help
 
I appreciate that tip but is there anyone that can give me some insight as to what these logs are suggesting, I would appreciate a brief run through of what a professional administrator sees here. I am only an intermediate IT guy, I'm not very familiar with defending complex platforms, which I know sounds dumb but like I said you have to learn somehow right?

Also this is very important, I myself and all of my clients are receiving an "internal server error 500" every few days and I need to know if thats a separate problem and where to start on fixing it. I already removed all of the .htaccesss files in the site dirs thinking that was it but no luck.

AND one other important thing, I can only enable 1 SSL site in the configs, I have each site that needs SSL set up on a separate ip add but when I get the first working and I enable the second apache crashes and says "address already in use" cannot bind or something like that, if anyone could please help with these issues I would greatly appreciate it!

kresser 28th October 2010 19:03

Actually ispconfig 3, not 2
 
My bad I put this in the wrong thread, I'm using ispconfig 3 not 2.....

falko 29th October 2010 14:47

I wouldn't worry too much abouzt being probed - that's happening to EVERY server on the Internet. As long as you use fail2ban and secure passwords you should be fine.

Regarding the 500 server error: are there any errors in Apache's error log?

kresser 29th October 2010 15:59

Apaches Error Logs
 
Here is Apaches most current logfile, a bunch more junk being messed with it looks like...... also other than the 500 error, which is a big problem right now, I needed help figuring out why I can only enable 1 SSL site, I have certs I've bout that I cant use because apache throws a fit.......

Quote:

[Sun Oct 24 04:14:30 2010] [warn] long lost child came home! (pid 9389)
[Sun Oct 24 05:33:44 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Oct 24 05:34:53 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Oct 24 05:34:53 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Oct 24 07:13:04 2010] [notice] mod_fcgid: call /var/www/arealreason.com/web/mail/index.php with wrapper /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
[Sun Oct 24 07:20:18 2010] [notice] mod_fcgid: call /var/www/arealreason.com/web/mail/index.php with wrapper /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
[Sun Oct 24 07:35:54 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 07:37:05 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 07:37:05 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 09:40:31 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 09:41:36 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 09:41:36 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 11:42:35 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 11:43:42 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 11:43:42 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 13:46:30 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 13:47:37 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 13:47:37 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 14:17:30 2010] [notice] mod_fcgid: call /var/www/arealreason.com/web/mail/index.php with wrapper /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
[Sun Oct 24 15:30:54 2010] [error] [client 188.165.64.234] File does not exist: /usr/local/ispconfig/interface/web/fastenv
[Sun Oct 24 15:45:21 2010] [error] [client 188.165.64.234] File does not exist: /usr/local/ispconfig/interface/web/fastenv
[Sun Oct 24 15:49:52 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 15:50:57 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 15:50:57 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 17:53:58 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 17:55:04 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 17:55:04 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 19:23:17 2010] [error] [client 220.255.7.213] File does not exist: /var/www/announce
[Sun Oct 24 19:29:28 2010] [error] [client 194.72.238.62] Invalid method in request \x16\x03\x01
[Sun Oct 24 19:39:39 2010] [notice] mod_fcgid: call /var/www/3ezbids.com/web/mail/index.php with wrapper /var/www/php-fcgi-scripts/web7/.php-fcgi-starter
[Sun Oct 24 19:39:53 2010] [notice] mod_fcgid: call /var/www/3ezbids.com/web/mail/src/right_main.php with wrapper /var/www/php-fcgi-scripts/web7/.php-fcgi-starter
[Sun Oct 24 19:57:18 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 19:58:21 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 19:58:21 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 22:03:03 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 22:04:08 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 22:04:11 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sun Oct 24 22:19:47 2010] [error] [client 221.195.73.68] script '/usr/local/ispconfig/interface/web/judge.php' not found or unable to stat
[Sun Oct 24 22:19:56 2010] [error] [client 221.195.73.68] script '/usr/local/ispconfig/interface/web/proxyheader.php' not found or unable to stat
[Mon Oct 25 00:07:09 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 00:08:15 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 00:08:15 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 02:04:59 2010] [error] [client 173.83.255.42] File does not exist: /usr/local/ispconfig/interface/web/fastenv
[Mon Oct 25 02:09:29 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 02:10:38 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 02:10:38 2010] [error] [client 168.216.100.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Mon Oct 25 03:49:01 2010] [error] [client 193.37.152.83] File does not exist: /usr/local/ispconfig/interface/web/fastenv
[Mon Oct 25 03:51:48 2010] [error] [client 193.37.152.83] File does not exist: /usr/local/ispconfig/interface/web/fastenv
[Mon Oct 25 03:53:37 2010] [error] [client 91.121.22.8] File does not exist: /var/www/phpmyadmin
[Mon Oct 25 03:53:38 2010] [error] [client 91.121.22.8] File does not exist: /var/www/phpMyAdmin
"error.log" 646L, 72297

kresser 29th October 2010 16:04

Yesterdays Mail Logs
 
Its crazy how for months and months nobody messed with me and then bam, trouble everywhere....

This showed up inn my mail logs yesterday and I'm curious as to maybe if all of these scanners and hack tools being used on my server is causing the ram in it to get ate up and thats where these errors came from, I dunno...

Falko your help would be greatly appreciated....

Quote:

Oct 22 20:02:25 messiah amavis[19565]: (19565-08) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 25624. at /usr/sbin/amavisd-new line 2892, line 25624.
Oct 23 08:05:00 messiah amavis[25958]: (25958-09) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 1570. at /usr/sbin/amavisd-new line 2892, line 1570.
Oct 28 06:41:26 messiah pop3d: Maximum connection limit reached for ::ffff:190.72.209.155
Oct 28 06:55:31 messiah pop3d: Maximum connection limit reached for ::ffff:190.72.209.155
Oct 28 07:50:01 messiah postfix/smtpd[26508]: fatal: epoll_create: Too many open files in system
Oct 28 08:10:01 messiah master[17645]: fatal: master_spawn: exec /usr/lib/postfix/proxymap: Cannot allocate memory
Oct 28 08:21:03 messiah amavis[5378]: (05378-01) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 08:30:13 messiah amavis[5378]: (05378-02) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 08:33:34 messiah postfix/smtp[16232]: fatal: smtp_connect_addr: socket: No buffer space available
Oct 28 08:52:22 messiah amavis[18208]: (18208-19) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 5959. at /usr/sbin/amavisd-new line 2892, line 5959.
Oct 28 09:07:33 messiah amavis[18208]: (18208-20) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 442. at /usr/sbin/amavisd-new line 2892, line 442.
Oct 28 09:09:22 messiah pipe[22171]: fatal: pipe_command: execvp /usr/bin/maildrop: Argument list too long
Oct 28 09:20:06 messiah amavis[17706]: (17706-01) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 09:33:37 messiah amavis[17706]: (17706-02) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 587. at /usr/sbin/amavisd-new line 2892, line 587.
Oct 28 09:39:22 messiah amavis[5378]: (05378-07) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 2871. at /usr/sbin/amavisd-new line 2892, line 2871.
Oct 28 10:00:06 messiah amavis[5378]: (05378-08) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 10:03:01 messiah amavis[17706]: (17706-04) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 1472. at /usr/sbin/amavisd-new line 2892, line 1472.
Oct 28 10:05:01 messiah master[15459]: fatal: master_spawn: exec /usr/lib/postfix/proxymap: Cannot allocate memory
Oct 28 11:20:07 messiah amavis[5378]: (05378-11) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 486. at /usr/sbin/amavisd-new line 2892, line 486.
Oct 28 11:20:56 messiah amavis[17706]: (17706-07) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 11:29:04 messiah amavis[5378]: (05378-12) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: failed, DIED on signal 9 (0009), parsing failure - missing last 2 results at (eval 92) line 177.
Oct 28 11:29:22 messiah amavis[17706]: (17706-08) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 11:29:22 messiah amavis[5378]: (05378-13) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 384. at /usr/sbin/amavisd-new line 2892, line 384.
Oct 28 11:32:06 messiah amavis[17706]: (17706-09) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 11:35:05 messiah amavis[5378]: (05378-14) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 87. at /usr/sbin/amavisd-new line 2892, line 87.
Oct 28 11:35:05 messiah amavis[17706]: (17706-10) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 133. at /usr/sbin/amavisd-new line 2892, line 133.
Oct 28 11:39:22 messiah amavis[17706]: (17706-11) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Oct 28 11:45:26 messiah amavis[5378]: (05378-17) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 774. at /usr/sbin/amavisd-new line 2892, line 774.

mini14 29th October 2010 16:35

On the certs.. You have more than one IP number right? You can only use one cert per IP number.

The logs look like what most of us running serves see fairly regularly. These probes come and go kinda in waves from my experience (Been running my own webservers since 2000)

As to your specific problem with 500 errors, If these errors occur while valid users attempting to access their websites then I'm not sure where to point you...if they are just random 500 errors showing up in your log files then that may be a result of these probers trying to "form feed" an existing script on your server with data that causes the script to barf. That would be a good thing actually as it shows that their attempts are futile.

Just my input.. hope it helps.

kresser 29th October 2010 16:54

Certs and probes
 
Once again thanks for your input.

I have 7 ip's allocated to this server, one main ip running the mta for all the virtual domains included in the mysql database, the mtas ip is the same hosting the second website needing the SSL Cert installed, that being because the FQDN of the mail server is part of that root domain, I have another client site setup on a diff ip with an installed cert that works fine, when I turn on SSL for the virtualhost record that i want to also have SSL apache immediately takes a crap and shuts down, upon trying to restart the service it says fatal bind error: address already in use. I have to ssh into the server an remove the SSL option from the vhosts record and restart apache for everything to come back online. Now my question is, is the problem because ispconfigs main ip is the same one as the mta and the same one of this domain I'm trying to enable it for?

About the probing and 500 error, I was wondering if the people trying to force-feed my server these scripts is what is causing it to throw my clients 500 errors upon logging into their mailboxes and folder refreshes. I never had the 500 error problem until my server started getting slammed.......


All times are GMT +2. The time now is 22:42.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.