?
Solved

Apache error

Posted on 2011-03-13
10
Medium Priority
?
641 Views
Last Modified: 2012-05-11
Today I found many pop-up error when I restart my server. By default it will also restart my apache. Currently we are using xampp for win2003 server.

However when I check log error file, I found many hits with the following error :

[Mon Mar 14 02:42:24 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat
on Mar 14 02:46:54 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat

etc.... 9 roughly about 80-120 hits

Apache is working after manually restarted...

The question here is, are we been hacked ? Or somebody is trying to hack our system ?

I need your advise of how to investigate this matter and find best solution.

thanks.
Tags:
0
Comment
Question by:KG1973
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35124573
If it started successfully after manually restarting, then it could be anything from unclean shutdown to hacking.  You can try to check logs but if you don't have IDS already set up, it would be really hard to determine.  If you have kept a checksum of configuration files, or any other comparison to see manually that your files changed, it would be hard to determine.  Do you have any external backups to compare files with?
0
 
LVL 2

Expert Comment

by:sihar86
ID: 35124821
Sometimes, it caused by external problem.
For ex: your capacity of your harddrive.
Is your harddrive full?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35124887
That IP address resolves to "kyoko.elenorbowleslinux.net".  Is that your server or desktop IP address?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:KG1973
ID: 35125283
Sihar86,
My server has no issue on hd space. HD full capacity is 680GB and the current usage is not even 1%.

DaveBaldwin,
I'd checked "kyoko.elenorbowleslinux.net" but not found.
The IP that I mention here is not our ip, it is visitor ips who try to access to uxampp.php. This is based on log files.


Just to rephrase, why log file show this D:/xampp/webdav/uxampp.php. What is this file for ? When I checked, the folder is there but not uxampp.php file. Any idea why apache is looking for this file ?



0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 35125568
Apparently, that is a common way to break into your server if you have 'WebDav' installed.  http://www.apachefriends.org/f/viewtopic.php?f=16&t=43824
0
 
LVL 1

Author Comment

by:KG1973
ID: 35125856
DaveBaldwin,

Looking at the link you provided, it says that it is an exploitation. It suggest not to use it. However, I need to know what actually the purpose of webdav. If I remove the folder and configure my server not to use it, will there be any negative side ? I am sure Web-based Distributed Authoring and Versioning (WebDAV) is designed for good reason except that it has been missused somehow for other negative purpose.

0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 2000 total points
ID: 35125999
I believe WEBDAV was invented by Microsoft for their old FrontPage product to upload and edit websites.  It had many security holes after a while.  You would have to have a product that had a WEBDAV client software in it in order to use it.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35127314
How about dreamweaver ? Will that be affected as well ? In your experience, if someone already familiar with frontpage for updating website, what is best or closest web development software that he could easily migrate ? Of course there is no perfect answer for that.

As for this problem, I will try to disable it and see the outcome in few days time.

thanks.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35130300
The product that came after FrontPage is Expression Web.  Some other programs have used it too.  I think most professional designers use FTP.  If you are developing on the same machine that has the web server, you can just copy the files from one directory to another.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35136317
I agree, to avoid further potential attacks, we soon to terminate using frontpage. However, the problem may come again as hackers always looking for holes in our web server.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question