Have I been hacked?

Forum Moderators: phranque

Message Too Old, No Replies

Have I been hacked?

egdavies

1:53 am on Jan 3, 2015 (gmt 0)

Hi all,

I have been noticing a lot of activity on my apache server of late. The error_log file is huge, with lots of the entires similar to the following:

^M
< HTTP/1.1 302 Found^M
< Date: Sat, 03 Jan 2015 01:52:43 GMT^M
< Server:* About to connect() to example.com port 80 (#0)
* Trying 000.000.000.000... * connected
* Connected to example.com (000.000.000.000) port 80 (#0)
> GET / HTTP/1.1^M
Host: example.com^M
Accept: */*^M
Content-type: text/xml^M
Content-length: 0^M
^M

In addition to many other similar entries and attempts to conect to external websites. Have I been hacked is my server been used as a reverse proxy?

Any help you guys can offer will be greatly appreciated.

Cheers,
Eddie

lammert

10:37 am on Jan 4, 2015 (gmt 0)

Hi Eddie, first of all Welcome to WebmasterWorld!

My error_log file has a totally different layout, more like

[Sun Jan 04 11:20:06 2015] [error] [client 11.22.33.44] File does not exist: /var/www/example.com/test

Is the block you posted from the error_log file, or from another source?

egdavies

11:25 am on Jan 4, 2015 (gmt 0)

Hi lammert,

Thanks for the welcome.

The output was from /var/log/httpd/error_log the other entries in the log file are similar to your example though.

I have managed to narrow it down as an output from curl which I then thought it would be a compromised site which I then went to check the error logs from each of the domains I manage. I found that similar log entries on one of the domains and the traffic on the one domain had increased about 200 fold!

The files in question were to do with a Joomla plugin for google maps which were acting as a proxy with curl. I have removed the offending plugin and as the version of Joomla was prehistoric (v1.6) I have disabled the site for now and everything has returned to normal.

Cheers,
Eddie

lucy24

6:44 pm on Jan 4, 2015 (gmt 0)

I have removed the offending plugin ... and everything has returned to normal

Whew. Your question would otherwise have taken a while to hammer out, because unlike most questions posted in this subforum it seemed to require someone who speaks Apache.

wilderness

2:41 pm on Jan 5, 2015 (gmt 0)

client 11.22.33.44

Might anybody have a clue if this is the result of an IPV6 range?

Gmail uses all 10's in their headers and it is my understanding that is a result of IPV6. Some while back, I could occasionally go into gmail headers and abstract other IP's.

lammert

2:53 pm on Jan 5, 2015 (gmt 0)

@wilderness: LOL, it is just an example IP address ;)

wilderness

3:04 pm on Jan 5, 2015 (gmt 0)

There's one born every minute ;)