1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Are these attempted hack attempts?

Discussion in 'Security' started by Jack700, Apr 15, 2007.

  1. #1
    I'm seeing requests for the following files in my access log:

    /MSOffice/cltreq.asp
    /_vti_bin/owssvr.dll

    I'm not running a windows server, are these hack attempts or are they someones browser/plugin run amok? They are inside a regular page request from a user so they're not stand alone requests.

    Thanks for any info you can provide.

    [EDIT: The subject line of this post is brought to you by the Department of Redundancy Department. ]
     
    Jack700, Apr 15, 2007 IP
  2. rootbinbash

    rootbinbash Peon

    Messages:
    2,198
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    0
    #2
    its not a hack attempt.Search the forum,this is a ms office toolbar query.Just ignore them
     
    rootbinbash, Apr 15, 2007 IP
  3. Jack700

    Jack700 Guest

    Messages:
    50
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I tried searching for the MSOffice string but I got back a bunch of false positives for some reason. Thanks for your help.
     
    Jack700, Apr 16, 2007 IP
  4. Dio

    Dio Well-Known Member

    Messages:
    725
    Likes Received:
    55
    Best Answers:
    0
    Trophy Points:
    120
    #4
    I remember looking at this myself a couple of years back, and reading that if you have certain MS office files online, and frontpage extensions enabled, then it was a security issue as there were vulnerabilities that could be exploited. A lot of those requests showing up in the log was evidence of automated scans for them.
     
    Dio, Apr 16, 2007 IP
  5. Jack700

    Jack700 Guest

    Messages:
    50
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I'm getting more mysterious strings in my error log now:

    ls: /var/cpanel/users/: Permission denied
    ls: /var/cpanel/suspended/: No such file or directory

    I tried searching and again came up empty. I do NOT see an accompanying request in my access logs as far as I can tell.

    Thanks for any help provided.
     
    Jack700, Apr 18, 2007 IP
  6. rootbinbash

    rootbinbash Peon

    Messages:
    2,198
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    0
    #6

    can you check your .bash_history log? ls /var/cpanel/users/ and ls /var/named commands generally used before mass defacement ^^ Also please search for php shells,make sure your tmp is secure for execution (no exec)
     
    rootbinbash, Apr 19, 2007 IP
  7. Jack700

    Jack700 Guest

    Messages:
    50
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I don't see anything in the .bash_history for either my domain user or root. Does the 'nobody' user have a .bash_history or is that the point of 'nobody' ?
     
    Jack700, Apr 19, 2007 IP
  8. rootbinbash

    rootbinbash Peon

    Messages:
    2,198
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    0
    #8
    well there must be.You have to look it via shell,so there must be a history at least your last command which you used to open the file :D


    its under root
     
    rootbinbash, Apr 19, 2007 IP