  |
 My host name delivering somebody elses content? |
 Dec 2 2003, 01:19 PM
Post
#1
|
|
|
Fellow  Group: Members Posts: 112 Joined: 11-September 03 Member No.: 10,129  |
I have a horrible feeling about this.
In whm in apache status, i see in the vhosts column, much activity for the hostname of my machine (I'll call it my.hostname.com.) This cannot be possible, since this is the hostname of my machine, and has no webserver setup for it, and isn't even a virtual account.. Now, it is requesting images from an account i deleted an hour ago because I suspected they were spamming. And now the same images that this now suspended account was using are apparently being delivered by my host name. I cannot think of any legitimate reason for this to occur. Could my machine have been hijacked somehow? |
 |
 
|
|
Dec 2 2003, 02:08 PM
Post
#2
|
|
|
Enlightened Group: Members Posts: 54 Joined: 28-September 03 Member No.: 10,466 |
If people use the preview URL - such as http://127.0.0.1/~username/ then that will show up as being from your main hostname.
However, just because an entry is showing up in the Apache Status display doesn't necessarily mean a file is being served - it could just be a 404 (Not found) error being returned. Try the full URL in your browser to see what you get. |
|
|
|
|
Dec 2 2003, 03:02 PM
Post
#3
|
|
|
Fellow Group: Members Posts: 112 Joined: 11-September 03 Member No.: 10,129 |
Yes, and I have mod_userdir activated.
What concerns me is that it is cycling the same three images over and over again. These three images were on a site that I deleted earlier today because of spamming. Also, (the biggy) the accesses per hour number in the thousands. So I am highly suspicious. |
|
|
|
|
Dec 2 2003, 04:05 PM
Post
#4
|
|
|
Master Group: Members Posts: 386 Joined: 15-December 02 Member No.: 5,270 |
Name a file exactly what everyone is pulling up, explaining that the site has been shut down due to spam and various other important information.
-------------------- |
|
|
|
|
Dec 2 2003, 04:10 PM
Post
#5
|
|
|
Fellow Group: Members Posts: 112 Joined: 11-September 03 Member No.: 10,129 |
I'm sorry, I don't understand. And I thank you for your ongoing input.
|
|
|
|
|
Dec 2 2003, 04:39 PM
Post
#6
|
|
|
Enlightened Group: Members Posts: 54 Joined: 28-September 03 Member No.: 10,466 |
Basically, if people are accessing URLS such as:
http://yourhost.example.com/~username/spammedpage.html Then create a new user on your server with the same username and save a file called spammedpage.html in the user's public_html folder saying something like "User removed for spamming". I know when we had a fake Paypal site on one of our boxes, we yanked the site (after making a copy for forensic/evidence/notification purposes: we sent the list of collected emails to Paypal so they could inform customers) and replaced the site with a page saying "You received a fradulant email claiming to be from Paypal - this was not the case... Yadda, yadda yadda - please see Paypal's Account Protection page at blahblahblah" type thing. |
|
|
|
|
Dec 2 2003, 04:44 PM
Post
#7
|
|
|
Fellow Group: Members Posts: 112 Joined: 11-September 03 Member No.: 10,129 |
I will try that. I am 100 perecent certain that my box has been comprimised. ten minutes ago I added a site, which now is the target of the GET requests... thousands of them already, for a site I added minutes ago.
Huge thanks for your time. |
|
|
|
|
Dec 2 2003, 04:51 PM
Post
#8
|
|
|
Fellow Group: Members Posts: 112 Joined: 11-September 03 Member No.: 10,129 |
I will try that. I am 100 perecent certain that my box has been comprimised. ten minutes ago I added a site, which now is the target of the GET requests... thousands of them already, for a site I added minutes ago.
Huge thanks for your time. |
|
|
|
|
| Lo-Fi Version | Time is now: 21st November 2009 - 08:22 PM |
