• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Apache error

Today I found many pop-up error when I restart my server. By default it will also restart my apache. Currently we are using xampp for win2003 server.

However when I check log error file, I found many hits with the following error :

[Mon Mar 14 02:42:24 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat
on Mar 14 02:46:54 2011] [client 64.120.182.105] script 'D:/xampp/webdav/uxampp.php' not found or unable to stat

etc.... 9 roughly about 80-120 hits

Apache is working after manually restarted...

The question here is, are we been hacked ? Or somebody is trying to hack our system ?

I need your advise of how to investigate this matter and find best solution.

thanks.
Tags:
0
KG1973
Asked:
KG1973
2 Solutions
 
farzanjCommented:
If it started successfully after manually restarting, then it could be anything from unclean shutdown to hacking.  You can try to check logs but if you don't have IDS already set up, it would be really hard to determine.  If you have kept a checksum of configuration files, or any other comparison to see manually that your files changed, it would be hard to determine.  Do you have any external backups to compare files with?
0
 
sihar86Commented:
Sometimes, it caused by external problem.
For ex: your capacity of your harddrive.
Is your harddrive full?
0
 
Dave BaldwinFixer of ProblemsCommented:
That IP address resolves to "kyoko.elenorbowleslinux.net".  Is that your server or desktop IP address?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
KG1973Author Commented:
Sihar86,
My server has no issue on hd space. HD full capacity is 680GB and the current usage is not even 1%.

DaveBaldwin,
I'd checked "kyoko.elenorbowleslinux.net" but not found.
The IP that I mention here is not our ip, it is visitor ips who try to access to uxampp.php. This is based on log files.


Just to rephrase, why log file show this D:/xampp/webdav/uxampp.php. What is this file for ? When I checked, the folder is there but not uxampp.php file. Any idea why apache is looking for this file ?



0
 
Dave BaldwinFixer of ProblemsCommented:
Apparently, that is a common way to break into your server if you have 'WebDav' installed.  http://www.apachefriends.org/f/viewtopic.php?f=16&t=43824
0
 
KG1973Author Commented:
DaveBaldwin,

Looking at the link you provided, it says that it is an exploitation. It suggest not to use it. However, I need to know what actually the purpose of webdav. If I remove the folder and configure my server not to use it, will there be any negative side ? I am sure Web-based Distributed Authoring and Versioning (WebDAV) is designed for good reason except that it has been missused somehow for other negative purpose.

0
 
Dave BaldwinFixer of ProblemsCommented:
I believe WEBDAV was invented by Microsoft for their old FrontPage product to upload and edit websites.  It had many security holes after a while.  You would have to have a product that had a WEBDAV client software in it in order to use it.
0
 
KG1973Author Commented:
How about dreamweaver ? Will that be affected as well ? In your experience, if someone already familiar with frontpage for updating website, what is best or closest web development software that he could easily migrate ? Of course there is no perfect answer for that.

As for this problem, I will try to disable it and see the outcome in few days time.

thanks.
0
 
Dave BaldwinFixer of ProblemsCommented:
The product that came after FrontPage is Expression Web.  Some other programs have used it too.  I think most professional designers use FTP.  If you are developing on the same machine that has the web server, you can just copy the files from one directory to another.
0
 
KG1973Author Commented:
I agree, to avoid further potential attacks, we soon to terminate using frontpage. However, the problem may come again as hackers always looking for holes in our web server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now