0

Since approximately one month I have been cumulating a lot of these entries as below list in my server in the Apache2 log file. I have spent several days trying to find out if this is really a hack in the server and how to really interpret this kind of entries. I would like to ask your help to clarify if this is an attack and, if it is, then where to search for the intruder script or file within the server. The referer changes quite frequently, but the requested resources are usually the same, mainly dumped sql files.

127.0.0.1 - - [01/May/2017:13:05:39 -0500] "GET /sql.sql HTTP/1.1" 404 460 "e5755.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"

127.0.0.1 - - [01/May/2017:13:05:43 -0500] "GET /db.zip HTTP/1.1" 404 459 "e5755.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"

127.0.0.1 - - [01/May/2017:13:05:52 -0500] "GET /db.tar.gz HTTP/1.1" 404 470 "smbexperience.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"

Carlos Vasquez
  • 1
  • 1
  • There are web crawlers who just target these kinds of urls on every site they check. I get alot attempting to find where phpmyadmin is installed. You could try to block the referrers e5755.com but they often operate from multiple domains. So just ensure anything that is sensitive data is very secure – Brett May 01 '17 at 22:57
  • Thanks Brett, for your input. And do you know why the client IP is not an external one? It looks like it is a crawler inserted into my server and running from inside. At least that is the way I interpret the 127.0.0.1 IP. Am I wrong? – Carlos Vasquez May 02 '17 at 11:54
  • Your system may be redirecting to a 404 page, that's why it's giving a localhost (127.0.0.1) entry. But yes it could be internal, definitely run a virus/malware scan. – Brett May 02 '17 at 23:41
  • Quite useful your recommendation. I will do that! Would you recommend a specific virus/malware program for Ubuntu server? I am not so familiar with this kind of software. – Carlos Vasquez May 04 '17 at 08:06

0 Answers0