Hi Guys This is the second time this has happend to me. When i check my home page the images that i cache had a different base path. Only the images i cached. When i clear the cache, everything is fine. I am now on a dedicated server, and i was on a vps for 4 years with no problems. it had piggmail.com instead of the url of the site. Check the logs to find this: 58.218.204.110 - - [18/Nov/2010:08:43:06 +0100] "GET http://www.piggmail.com/proxyheader.php HTTP/1.1" 404 13140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" I have mod)security installed, i have plesk runing, with firewall on. Please let em know if im missing something and what is this?????????
In any case, it's not good that these are showing up - http://safebrowsing.clients.google....?site=http://www.piggmail.com/proxyheader.php Have you checked FTP logs, var/log/messages, or anything to give a hint as to when and how these were put on your server? I recommend CSF, as it will give you some warning when your server is accessed by anyone, however if you're already compromised it won't matter that much.
This was in my access logs. My ftp or control panel access was not compromised. The date on all the files are correct. Nothing changed, other than the cached images. Almost as if the cached was compromised. Then i looked in the access logs to find that what i posted above! I see the server sends it to a 404! Now my question is, is this an attempt to hack, or is it a hack already? THanks
install brute force detection for ftp. it seems to me that somebody is doing GET request from that IP. it could also be a php script vulnerability.
What is the site in question? We can take a look to see if we can figure anything out. Also, if you are on a dedicated server, I recommend installing the open source OSSEC (www.ossec.net) to detect intrusions to your server and sucuri ( http://sucuri.net ) to monitor your site for malware, spam, hacking etc and clear the malware if is currently infected. thanks,