Solved

Apache error

Posted on 2011-03-13
10
636 Views
Last Modified: 2012-05-11
Today I found many pop-up error when I restart my server. By default it will also restart my apache. Currently we are using xampp for win2003 server.

However when I check log error file, I found many hits with the following error :

[Mon Mar 14 02:42:24 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat
on Mar 14 02:46:54 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat

etc.... 9 roughly about 80-120 hits

Apache is working after manually restarted...

The question here is, are we been hacked ? Or somebody is trying to hack our system ?

I need your advise of how to investigate this matter and find best solution.

thanks.
Tags:
0
Comment
Question by:KG1973
10 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35124573
If it started successfully after manually restarting, then it could be anything from unclean shutdown to hacking.  You can try to check logs but if you don't have IDS already set up, it would be really hard to determine.  If you have kept a checksum of configuration files, or any other comparison to see manually that your files changed, it would be hard to determine.  Do you have any external backups to compare files with?
0
 
LVL 2

Expert Comment

by:sihar86
ID: 35124821
Sometimes, it caused by external problem.
For ex: your capacity of your harddrive.
Is your harddrive full?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35124887
That IP address resolves to "kyoko.elenorbowleslinux.net".  Is that your server or desktop IP address?
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:KG1973
ID: 35125283
Sihar86,
My server has no issue on hd space. HD full capacity is 680GB and the current usage is not even 1%.

DaveBaldwin,
I'd checked "kyoko.elenorbowleslinux.net" but not found.
The IP that I mention here is not our ip, it is visitor ips who try to access to uxampp.php. This is based on log files.


Just to rephrase, why log file show this D:/xampp/webdav/uxampp.php. What is this file for ? When I checked, the folder is there but not uxampp.php file. Any idea why apache is looking for this file ?



0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 35125568
Apparently, that is a common way to break into your server if you have 'WebDav' installed.  http://www.apachefriends.org/f/viewtopic.php?f=16&t=43824
0
 
LVL 1

Author Comment

by:KG1973
ID: 35125856
DaveBaldwin,

Looking at the link you provided, it says that it is an exploitation. It suggest not to use it. However, I need to know what actually the purpose of webdav. If I remove the folder and configure my server not to use it, will there be any negative side ? I am sure Web-based Distributed Authoring and Versioning (WebDAV) is designed for good reason except that it has been missused somehow for other negative purpose.

0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 500 total points
ID: 35125999
I believe WEBDAV was invented by Microsoft for their old FrontPage product to upload and edit websites.  It had many security holes after a while.  You would have to have a product that had a WEBDAV client software in it in order to use it.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35127314
How about dreamweaver ? Will that be affected as well ? In your experience, if someone already familiar with frontpage for updating website, what is best or closest web development software that he could easily migrate ? Of course there is no perfect answer for that.

As for this problem, I will try to disable it and see the outcome in few days time.

thanks.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35130300
The product that came after FrontPage is Expression Web.  Some other programs have used it too.  I think most professional designers use FTP.  If you are developing on the same machine that has the web server, you can just copy the files from one directory to another.
0
 
LVL 1

Author Comment

by:KG1973
ID: 35136317
I agree, to avoid further potential attacks, we soon to terminate using frontpage. However, the problem may come again as hackers always looking for holes in our web server.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question