Apache 200 ok response for non-existant URL

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Oct 22, 2018.

  1. pawan

    pawan Member HowtoForge Supporter

    I have a Joomla site, which was compromised and some sitemap.xml were added to the site. I cleaned everything.
    Now when checking logs I am seeing 404 for most of the urls. URL pattern are like below:
    Code:
    207.46.13.27 - - [22/Oct/2018:01:44:17 +0530] "GET /zq7G85678Hqj4519Y7m HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    157.55.39.156 - - [22/Oct/2018:01:44:27 +0530] "GET /t50280zgY7204j7hd HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    157.55.39.156 - - [22/Oct/2018:01:44:29 +0530] "GET /C4136kab4rB29716gb4 HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    157.55.39.156 - - [22/Oct/2018:01:44:30 +0530] "GET /t4780ziY6648jyvk HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    40.77.167.59 - - [22/Oct/2018:01:44:33 +0530] "GET /1K58772G_4659ebq89 HTTP/1.1" 200 5947 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    40.77.167.59 - - [22/Oct/2018:01:44:35 +0530] "GET /ejY5Mjc5Tkw3MTc5UWwzdzdp HTTP/1.1" 404 1387 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    207.46.13.27 - - [22/Oct/2018:01:44:36 +0530] "GET /cy29364lv8F160J8 HTTP/1.1" 404 1383 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    but for a specific string 200 response is shown. when I visit the site it indeed opens a page showing module variations but the string nowhere exist in my database/filesystem.
    So how come it is not showing 404 and showing 200 response.
    How I can resolve this.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    most likely the hacker encoded the string somewhere in the code of the site in a way that you can not find it with grep or a similar text search tool. Did you try to scan the site for remnant malware e.g. with ispprotect?
     

Share This Page