Options

Security question.

romandromand Member Posts: 21 ■□□□□□□□□□
in Off-Topic
Hi all,

Can anybody confirm my thoughts?

Today I watched logs on my website and noticed some strange info.

Can this be considered a hacker attempts? Because I don't have any CGI program installed on my web site, it is just plain HTML. I suppose that someone installed malware on my website and uses link to redirect emails to his own email. Is it possible? I know who it is(my web site steel was private, and I gave url just to my cousin from Ukraine) but I am not sure what he was trying to do? Thanks

This:
122.160.99.22 - - [22/Aug/2009:08:42:03 -0700] "GET www.mywebsite.com/ HTTP/1.1" 200 3276 "-" "-"
122.160.99.22 - - [22/Aug/2009:08:42:03 -0700] "GET www.mywebsite.com/Contact.html HTTP/1.1" 200 2314 "-" "-"
194.44.15.7 - - [22/Aug/2009:23:51:53 -0700] "GET www.mywebsite.com/ HTTP/1.1" 200 3276 "http://mail.rambler.ru/mail/mail.cgi?mode=obj;mbox=INBOX&r=f6d8;what=10799" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
194.44.15.7 - - [22/Aug/2009:23:51:53 -0700] "GET www.mywebsite.com/Home.jpg HTTP/1.1" 200 873 "http://www.mywebsite.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
194.44.15.7 - - [22/Aug/2009:23:51:54 -0700] "GET www.mywebsite.com/Contact.jpg HTTP/1.1" 200 959 "http://www.mywebsite.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"

And this:

91.124.51.202 - - [31/Aug/2009:01:42:42 -0700] "GET mywebsite.com/ HTTP/1.0" 200 3264 "http://mail.rambler.ru/mail/mail.cgi?mode=obj;mbox=INBOX&r=f6d8;what=10873" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; ToolKit; .NET CLR 2.0.50727; InfoPath.1)"
91.124.51.202 - - [31/Aug/2009:01:42:42 -0700] "GET mywebsite.com/How_It_Works.jpg HTTP/1.0" 200 1296 "http://mywebsite.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; ToolKit; .NET CLR 2.0.50727; InfoPath.1)"
91.124.51.202 - - [31/Aug/2009:01:42:42 -0700] "GET mywebsite.com/Home.jpg HTTP/1.0" 200 873 "http://mywebsite.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; ToolKit; .NET CLR 2.0.50727; InfoPath.1)"
· Share on FacebookShare on Twitter

Comments

  • Options
    msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    That link with the cgi extension looks like the referrer URL, which would make sense with your cousin in the Ukraine and that domain ending in .ru and the IP address that is logged is allocated from RIPE which handles IP's in that region.

    Did you e-mail your cousin a link to your website? He probably clicked the link through his e-mail providers web based e-mail system, hence the referrer URL.
    · Share on FacebookShare on Twitter
  • Options
    romandromand Member Posts: 21 ■□□□□□□□□□
    msteinhilber wrote: »
    That link with the cgi extension looks like the referrer URL, which would make sense with your cousin in the Ukraine and that domain ending in .ru and the IP address that is logged is allocated from RIPE which handles IP's in that region.

    Did you e-mail your cousin a link to your website? He probably clicked the link through his e-mail providers web based e-mail system, hence the referrer URL.

    Yes, I mailed a link to my web site to my cousin. And I know that IP address is assigned to the city in which he lives and mail provider is provider what he uses. But I also send link in email to few friends here in USA but logs was different. Maybe I am getting paranoid, but I found some strange file on my server.
    · Share on FacebookShare on Twitter
  • Options
    L0gicB0mb508L0gicB0mb508 Member Posts: 538
    romand wrote: »
    Yes, I mailed a link to my web site to my cousin. And I know that IP address is assigned to the city in which he lives and mail provider is provider what he uses. But I also send link in email to few friends here in USA but logs was different. Maybe I am getting paranoid, but I found some strange file on my server.

    What exactly is the strange file you see? What's the name and extension? Have you opened it and looked at the contents of the file?
    I bring nothing useful to the table...
    · Share on FacebookShare on Twitter
  • Options
    romandromand Member Posts: 21 ■□□□□□□□□□
    L0gicB0mb508 wrote: »
    What exactly is the strange file you see? What's the name and extension? Have you opened it and looked at the contents of the file?

    The file is Godaddy's webformmailer.php . As I understand it can be used instead CGI file. My web browser shows that Symbolic link is invalid in this file. Here is info about this file:

    Using PHP Form Mailers - GoDaddy Help Center, Search the GoDaddy Knowledge Base

    I tried to open or download this file by Filezila but the message was: Failed to retrieve directory listing. But I am able download and open other php files.

    I would not have paid much attention to that log if I had not known that guy:)

    But now I think msteinhilber is right, it is just e-mail providers web based e-mail system. Thank you though!
    · Share on FacebookShare on Twitter
  • Options
    bgrablinbgrablin Member Posts: 86 ■■□□□□□□□□
    I agree, it is a strange file that was on your server. But then again, it's still true.
    chuck-norris-split-rock.jpg
    "The object of war is not to die for your country but to make the other bastard die for his."
    -General George S. Patton

    My Site | Face
    · Share on FacebookShare on Twitter
  • Options
    romandromand Member Posts: 21 ■□□□□□□□□□
    I just notice that there is a website with the name I changed in this post for my website. Sorry for that. I changed it to protect security:)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.