php5.cgi attacking?

edwardsmarkf · October 20, 2014, 5:21pm

hello - i received a nasty-gram about my server hacking from a German server that provided me with the following information (below). in order to understand the German stuff, i was forced to watch several episodes of “Hogans Heroes”.

the (supposed) offending programs were:

virtue-now.net/cgi-bin/php5.cgi
bayern-polen.info/cgi-bin/php5.cgi

which neither domain name is on my server.

since the offending programs were php5.cgi, i assume this is virtualmin?

any suggestions?? thank you!

files sent to me:

199-231-184.26.txt

DETAILS ZU DEN ATTACKEN/STÖRUNGEN | DETAILS OF THE ATTACKS
(letzten 60 Tage / max. 100 St.) | (last 60 days / max. 100 hits)

|
IP-NUMBER: 199.231.184.26
|
| HOSTNAME : comptonpeslonline.com

| TIMESTAMP | ATTACKS | Port | TARGET-HOST

| 2014-10-19T18:35:18+02:00 | backdoor scann | 80 | host11.checkdomain.de |

| 2014-10-18T23:40:55+02:00 | backdoor scann | 80 | host11a.checkdomain.de |

VORHERIGE SPERREN DER IP-NUMMER

BANNED HISTORY OF THIS IP-NUMBER

199.231.184.26: this ip-number
was never banned before

AUZUG AUS SERVERLOGDATEI | EXCERPT FROM SERVER LOGFILE

virtue-now.net/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.109.77 / Local-Port: 80)

bayern-polen.info/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.108.125 / Local-Port: 80)

report.txt

Reported-From: abuse-out@checkdomain.de
Category: abuse
Report-Type: hack-attack
Service: http
Version: 0.1
User-Agent: Checkdomain Express 0.19
Date: Sun, 19 Oct 2014 18:58:21 +0200
Source-Type: ipv4
Source: 199.231.184.26
Port: 80
Report-ID: 107111948337@checkdomain.de
Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
Attachment: text/plain

edwardsmarkf · October 20, 2014, 6:06pm

sorry, having trouble with the forum interface today.

i took their German timestamps and subtracted six (for EST) but didnt see anything unusual in my log files during that time period.

here is what i am seeing in the 199-231-184-26.txt file that was sent to me:

|---------------------------------------------------------
| TIMESTAMP                  | ATTACKS             | Port  | TARGET-HOST                
|--------------------------------------------------------
| 2014-10-19T18:35:18+02:00  | backdoor scann      | 80    | host11.checkdomain.de      |
| 2014-10-18T23:40:55+02:00  | backdoor scann      | 80    | host11a.checkdomain.de     |
|---------------------------------------------------------

| BANNED HISTORY OF THIS IP-NUMBER
-----------------------------------------------------------------------------------------
199.231.184.26: this ip-number was never banned before
-----------------------------------------------------------------------------------------
EXCERPT FROM SERVER LOGFILE
virtue-now.net/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.109.77 / Local-Port: 80)
bayern-polen.info/cgi-bin/php5.cgi (Proto: HTTP/1.1 / Local-IP: 130.185.108.125 / Local-Port: 80)

report.txt file:

---
Reported-From: abuse-out@checkdomain.de
Category: abuse
Report-Type: hack-attack
Service: http
Version: 0.1
User-Agent: Checkdomain Express 0.19
Date: Sun, 19 Oct 2014 18:58:21 +0200
Source-Type: ipv4
Source: 199.231.184.26
Port: 80
Report-ID: 107111948337@checkdomain.de
Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
Attachment: text/plain