Checking Apache for possible hack

-
1. Edit php.ini

sendmail_path = /usr/local/bin/phpsendmail

create a filter file wrapper. I saw this one and it is very handy.

/usr/local/bin/phpsendmail


#!/usr/bin/php
<?php

/**
  This script is a sendmail wrapper for php to log calls of the php mail() function.
  Author: Till Brehm, www.ispconfig.org
  (Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk>
*/

$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/mail.form';

//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');

while ($line = fgets($pointer)) {
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
                $logline .= trim($line).' ';
        }
    $mail .= $line;
}

//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
        $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}


 You will see all logs at  /var/log/mail.form


---------------------------------------------------------------------------------------------------------------------------------
grep all post on httpd access log


146.1.73.155 0 0 [28/Jul/1967:07:33:43 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login
146.0.75.212 0 0 [28/Jul/1967:08:15:42 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login
214.2.175.16 0 0 [28/Jul/1967:08:54:10 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login
126.11.74.28 0 0 [28/Jul/1967:10:17:05 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login
167.137.209.44 0 0 [28/Jul/2013:10:40:27 -0700] POST /administrator/index.php HTTP/1.1 303 0 http://www.sampledomain.com/administrator/
213.111.175.11 0 0 [28/Jul/1967:11:03:01 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login
146.0.74.211 0 0 [28/Jul/1967:11:44:04 -0700] POST /administrator/index.php HTTP/1.1 200 4309 http://sampledomain.com/administrator/index.php?option=com_login

Comments

Post a Comment

Popular posts from this blog

Black screen after logging in on Windows 2012 R2 using domain credentials on remote desktop connection

-
https://support.microsoft.com/en-us/kb/970879 Blank Desktop on Windows Vista or Windows Server 2008  Email  Print Source:  Microsoft Support RAPID PUBLISHING RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION. Symptom After logging on to a Windows Vista or Windows Server 2008 computer, you are presented with a blank screen with no Start Menu, shortcuts, or icons. If you reboot and use F8 to boot to Safe Mode with Networking, you will see your normal desktop.  You may see the following events in the Application log:  Log Name: Application  Source: Microsoft-Windows-Winlogon  Event ID: 4006  Level: Warning  User: N/A  Computer: M1.Contoso.com  Description:  The Windows logon process has failed to spawn a user application. Application name: . Command line parameters:
Read more

Client denied by server configuration error

-
Client denied by server configuration error in Apache. Wed, 01/23/2008 - 00:33 — artur Just in case if somebody else has a similar problem and can't get the Apache server working as expected. I have tried to setup proxy_mod under apache to forward HTTP traffic from AJAX Jabber client to the Bosh component running on Tigase server. It was working fine for a long time on my Gentoo server. I have recently wanted to run more tests on a separate machine and had this problem. It was a system based on the Debian distribution and the proxy_mod didn't want to work at all displaying the error message in a log file: [error] [client ::1] client denied by server configuration: proxy:http://127.0.0.1:5280/xmpp/ , referer: http://localhost/F5A379CEC35AEBCC5FFA11BA8A33CD02.cache.html All you need to do is to modify proxy.conf file for your Apache2 installation and setup proper permissions. By default the proxy is disabled for all. In my case I had to enable it just f
Read more

Can't use proxy because no authentication schemes are fully configured.

-
So you are having problems on webmin + squid authentication ? My current setup is below. I was eating my finger nails asking why before it was working and now it doesnt. System hostname localhost.localdomain (127.0.0.1) Operating system CentOS Linux 6.3 Webmin version 1.620 Virtualmin version 3.98.gpl GPL Earn  money  register free! [root@122 ~]# service squid start Starting squid:                                            [FAILED] 2013/02/23 00:17:00| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2013/02/23 00:17:00| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'. 2013/02/23 00:17:00| SECURITY NOTICE: Overriding config setting. Using 'all' instead. 2013/02/23 00:17:00| WARNING: (B) '::/0' is a subnetwork of (A) '::/0' 2013/02/23 00:17:00| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable 2013/02/23 00:17:00| WARNING: You should probably remov
Read more