Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th October 2012, 21:20
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default script '/usr/local/ispconfig/interface/web/login_up.php3' not found or unable to stat

Hi, everyone,

I've been seeing the following types of entries in /var/log/apache2/error.log, at a rate of 10 entries per second:

Code:
[Tue Oct 09 05:53:11 2012] [error] [client XXX.XXX.XXX.XXX] script '/usr/local/ispconfig/interface/web/login_up.php3' not found or unable to stat
What might the user-agent be doing (or attempting to do) that would cause such a message to be logged?

In particular, I'm curious as to why the logged message references a file-system path, as opposed to a URL. This seems to indicate that the user-agent is targeting a specific PHP script that attempts to load a different PHP script from the file-system.

Last edited by cbj4074; 9th October 2012 at 21:22.
Reply With Quote
Sponsored Links
  #2  
Old 10th October 2012, 08:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

Did you had plesk installed on that server before as there is a script with that name in pleask but not in ispconfig:

http://kb.parallels.com/en/1798

so maybe there is a script from plesk or a script developed for plesk installed on the server that searches for this script or an attacker thinks that this is a plesk install. When you access the script by http, the path /usr/local/ispconfig/interface/web/login_up.php3 is the equivalent to /login_up.php3 of the ispconfig controlpanel vhost, so it might be that the script can not identify that its not plesk while searching for the script.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 11th October 2012, 16:19
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
 
Default

Hi, Till, thanks for your response.

Plesk has never been installed on this server, but ISPConfig is configured to use the same port that Plesk uses (8443). This is probably why the probing software thought that the server is running Plesk.

What you say regarding the file path translation makes sense.

It sounds like I can ignore these probes, as they will never be successful if they're looking for Plesk.

Thanks again for the thorough explanation!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ioncube install kwickcut Installation/Configuration 6 17th May 2013 21:00
ISPConfig 3.0.3.3 Autoresponder, adding subdomain problem BlackHat Installation/Configuration 4 18th October 2011 14:24
Compromised Host acecjh General 6 22nd April 2011 08:35
One site contaminated by r57shell aceyzeriat Installation/Configuration 21 13th May 2009 12:19
Cannot log onto pop3 server Debian Etch Perfect Server docean Installation/Configuration 2 19th March 2008 00:23


All times are GMT +2. The time now is 02:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.