my server seems to be doing some attacking:

edwardsmarkf · October 20, 2014, 5:35pm

hello - i received a nasty-gram about my server hacking from a German server that provided me with the following information (below). in order to understand the German stuff, i was forced to watch several episodes of “Hogans Heroes”.

the (supposed) offending programs were:

virtue-now.net/cgi-bin/php5.cgi
bayern-polen.info/cgi-bin/php5.cgi

which neither domain name is on my server.

since the offending programs were php5.cgi, i assume this is virtualmin?

files sent to me: were 199-231-184-26.txt and report.txt (both attached)

any suggestions?? thank you!

edwardsmarkf · October 20, 2014, 5:47pm

sorry attachment option not working for me today. here is what i am seeing:

EXCERPT FROM SERVER LOGFILE
virtue-now.net/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.109.77 / Local-Port: 80)
bayern-polen.info/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.108.125 / Local-Port: 80)

report.txt:

---
Reported-From: abuse-out@checkdomain.de
Category: abuse
Report-Type: hack-attack
Service: http
Version: 0.1
User-Agent: Checkdomain Express 0.19
Date: Sun, 19 Oct 2014 18:58:21 +0200
Source-Type: ipv4
Source: 199.231.184.26
Port: 80
Report-ID: 107111948337@checkdomain.de
Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
Attachment: text/plain

Eric · October 20, 2014, 6:01pm

Howdy,

The php5.cgi script is how PHP scripts are executed. That is running the PHP as CGI or FCGID.

That likely means that there is a malicious PHP script within your website that is being used to attack the other server.

My suggestion would be to review the PHP scripts within that domain to make sure you don’t see any that are abnormal.

I would also recommend making sure that any web apps you have installed are fully up to date, as older versions of web apps can contain security vulnerabilities.

-Eric