1
Cuidiu
Help with strange log entry - possible hacking?
  • 2007/5/22 17:37

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


I got the following entry in my access log. The host is not helpful at all! Would someone please tell me if this kind of entry is an attempt to hack somehow? Notice the IP address 127.0.0.1 - and there is no foo.jpg in my images folder.

127.0.0.1 - - [01/May/2007:02:00:00 -0500] "GET /images/foo.jpg HTTP/1.0" 200 6429 "http://www.foo.com/" "Mozilla/4.03 [en] (Win95; I ;Nav)"

What should I do?

[size=x-small]EDITED TO ADD:[/size]

I notice this in my Protector settings for the default "Reliable IPs": ^192.168.|127.0.0.1

I do not test from home computer, should both those IPs be included? I'm not sure what they are there for, would someone please explain?

Thanks,

Cuidiu
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

2
JMorris
Re: Help with strange log entry - possible hacking?
  • 2007/5/22 18:07

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


127.0.0.1 is localhost. Meaning the computer the site is hosted on. If you take out that IP, scripts on the site that you want to run, may end up getting blocked.

^192.168. is a non-routable subnet. Meaning, this is for Local Area Networks. Often, a hosting provider will place a large collection of servers behind a NAT Firewall to help prevent against port-based hacks. Again, don't remove that address as it may break things if you do.

As far as the access attempt goes, that looks spoofed. In other words, someone is hiding their real IP and User Agent (browser).

It looks as though they are just sniffing around. They are trying to see if you have fancy indexing turned on.

Make sure your modules are up to date, protector is installed and configured properly, your files and folders are chmod as restrictive as functionally possible, make sure you have an index.html in all writable folders with the following code in it

<script>history.go(-1);script>


For added protection, either turn off indexing through cPanel (if you have it), or add this .htaccess file to your site

OptionsĀ -Indexes


HTH
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

3
Cuidiu
Re: Help with strange log entry - possible hacking?
  • 2007/5/22 18:49

  • Cuidiu

  • Quite a regular

  • Posts: 358

  • Since: 2006/4/23


Thank you JMorris for that detailed explanation! Very helpful! I just upgraded this morning to the most recent Protector and have already employed the other methods you suggest so it looks like I'm doing about as much as possible. Thank you again.

Cuidiu
[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

Login

Who's Online

335 user(s) are online (277 user(s) are browsing Support Forums)


Members: 0


Guests: 335


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits