?
Solved

Apache error

Posted on 2011-03-13
10
Medium Priority
?
644 Views
Last Modified: 2012-05-11
Today I found many pop-up error when I restart my server. By default it will also restart my apache. Currently we are using xampp for win2003 server.

However when I check log error file, I found many hits with the following error :

[Mon Mar 14 02:42:24 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat
on Mar 14 02:46:54 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat

etc.... 9 roughly about 80-120 hits

Apache is working after manually restarted...

The question here is, are we been hacked ? Or somebody is trying to hack our system ?

I need your advise of how to investigate this matter and find best solution.

thanks.
Tags:
0
Comment
Question by:KG1973
10 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35124573
If it started successfully after manually restarting, then it could be anything from unclean shutdown to hacking.  You can try to check logs but if you don't have IDS already set up, it would be really hard to determine.  If you have kept a checksum of configuration files, or any other comparison to see manually that your files changed, it would be hard to determine.  Do you have any external backups to compare files with?
0
 
LVL 2

Expert Comment

by:sihar86
ID: 35124821
Sometimes, it caused by external problem.
For ex: your capacity of your harddrive.
Is your harddrive full?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35124887
That IP address resolves to "kyoko.elenorbowleslinux.net".  Is that your server or desktop IP address?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:KG1973
ID: 35125283
Sihar86,
My server has no issue on hd space. HD full capacity is 680GB and the current usage is not even 1%.

DaveBaldwin,
I'd checked "kyoko.elenorbowleslinux.net" but not found.
The IP that I mention here is not our ip, it is visitor ips who try to access to uxampp.php. This is based on log files.


Just to rephrase, why log file show this D:/xampp/webdav/uxampp.php. What is this file for ? When I checked, the folder is there but not uxampp.php file. Any idea why apache is looking for this file ?



0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 35125568
Apparently, that is a common way to break into your server if you have 'WebDav' installed.  http://www.apachefriends.org/f/viewtopic.php?f=16&t=43824
0
 
LVL 1

Author Comment

by:KG1973
ID: 35125856
DaveBaldwin,

Looking at the link you provided, it says that it is an exploitation. It suggest not to use it. However, I need to know what actually the purpose of webdav. If I remove the folder and configure my server not to use it, will there be any negative side ? I am sure Web-based Distributed Authoring and Versioning (WebDAV) is designed for good reason except that it has been missused somehow for other negative purpose.

0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 2000 total points
ID: 35125999
I believe WEBDAV was invented by Microsoft for their old FrontPage product to upload and edit websites.  It had many security holes after a while.  You would have to have a product that had a WEBDAV client software in it in order to use it.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35127314
How about dreamweaver ? Will that be affected as well ? In your experience, if someone already familiar with frontpage for updating website, what is best or closest web development software that he could easily migrate ? Of course there is no perfect answer for that.

As for this problem, I will try to disable it and see the outcome in few days time.

thanks.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35130300
The product that came after FrontPage is Expression Web.  Some other programs have used it too.  I think most professional designers use FTP.  If you are developing on the same machine that has the web server, you can just copy the files from one directory to another.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35136317
I agree, to avoid further potential attacks, we soon to terminate using frontpage. However, the problem may come again as hackers always looking for holes in our web server.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question