I'm seeing requests for the following files in my access log: /MSOffice/cltreq.asp /_vti_bin/owssvr.dll I'm not running a windows server, are these hack attempts or are they someones browser/plugin run amok? They are inside a regular page request from a user so they're not stand alone requests. Thanks for any info you can provide. [EDIT: The subject line of this post is brought to you by the Department of Redundancy Department. ]
I tried searching for the MSOffice string but I got back a bunch of false positives for some reason. Thanks for your help.
I remember looking at this myself a couple of years back, and reading that if you have certain MS office files online, and frontpage extensions enabled, then it was a security issue as there were vulnerabilities that could be exploited. A lot of those requests showing up in the log was evidence of automated scans for them.
I'm getting more mysterious strings in my error log now: ls: /var/cpanel/users/: Permission denied ls: /var/cpanel/suspended/: No such file or directory I tried searching and again came up empty. I do NOT see an accompanying request in my access logs as far as I can tell. Thanks for any help provided.
can you check your .bash_history log? ls /var/cpanel/users/ and ls /var/named commands generally used before mass defacement ^^ Also please search for php shells,make sure your tmp is secure for execution (no exec)
I don't see anything in the .bash_history for either my domain user or root. Does the 'nobody' user have a .bash_history or is that the point of 'nobody' ?
well there must be.You have to look it via shell,so there must be a history at least your last command which you used to open the file its under root