Server hacked or tried to tell me??

**Enpeek** · 18 Apr 2012, 02:22 AM

Hi

this is from server log file
can anyone tell me if this is a try to hack my site??

please help me, i have taken some out of the log file, tell me if i should delete something

[05/Apr/2012:20:56:28 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
a3871.openict.atom86.net - - [05/Apr/2012:20:57:47 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
188.215.55.94 - - [05/Apr/2012:20:57:57 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
kooymans.de - - [05/Apr/2012:20:59:54 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
unknown.servercentral.net - - [05/Apr/2012:21:02:43 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
66.249.66.148 -

- [05/Apr/2012:23:06:47 +0200] "GET /admin/login.asp HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
46.4.130.29 - - [05/Apr/2012:23:06:48 +0200] "GET /index.php/admin/ HTTP/1.1" 200 21824 "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
static.29.130.4.46.clients.your-server.de - - [05/Apr/2012:23:06:48 +0200] "GET /umbraco/login.aspx HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
static.29.130.4.46.clients.your-server.de - - [05/Apr/2012:23:06:48 +0200] "GET /admincp/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
static.29.130.4.46.clients.your-server.de - - [05/Apr/2012:23:06:48 +0200] "GET /wp-content/plugins/wp-e-commerce/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
static.29.130.4.46.clients.your-server.de - - [05/Apr/2012:23:06:48 +0200] "GET /typo3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.24) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24"
static.29.130.4.46.clients.your-server.de - - [05/Apr/2012:23:06:48 +0200] "GET /admin/Systemfiles/ HTTP/1.1" 404 -

..... do the bot use admin?

th=3_4&products_id=34 HTTP/1.1" 200 20742 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
kooymans.de - - [07/Apr/2012:17:44:30 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
server84191748.internet-server.dk - - [07/Apr/2012:17:44:30 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
207.46.13.95 -

- [09/Apr/2012:09:49:09 +0200] "GET /index.php%3fmain_page=index%26cPath=12/admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:10 +0200] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:10 +0200] "GET /admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:12 +0200] "GET /index.php%3fmain_page=index%26cPath=12/admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:12 +0200] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:52 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2/admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:52 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2/admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:49:57 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2/admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:11 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_21/admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:11 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_21/admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:12 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_19/admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:12 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_19/admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:15 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_21/admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:16 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_19/admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:24 +0200] "GET /index.php%3fmain_page=index%26cPath=12_23/admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:24 +0200] "GET /index.php%3fmain_page=index%26cPath=12_23/admin/categories.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:28 +0200] "GET /index.php%3fmain_page=index%26cPath=12_23/admin/banner_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:56 +0200] "GET /index.php%3fmain_page=index%26cPath=12_2_10/admin/file_manager.php/login.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929"
188.215.55.94 - - [09/Apr/2012:09:50:57 +0200] "GET /index.php%3fmain_page=index

- [10/Apr/2012:14:31:52 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
174.37.59.210-static.reverse.softlayer.com - - [10/Apr/2012:14:31:53 +0200] "POST /admin/product.php/password_forgotten.php?action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ns1.psin.org - - [10/Apr/2012:14:31:58 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ns1.psin.org - - [10/Apr/2012:14:32:08 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ns1.psin.org - - [10/Apr/2012:14:32:08 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
74.54.45.2 - - [10/Apr/2012:14:32:09 +0200] "GET /index.php?main_page=site_map/admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 406 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ns1.psin.org - - [10/Apr/2012:14:32:10 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
74.54.45.2 - - [10/Apr/2012:14:32:14 +0200] "GET /index.php?main_page=site_map/admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 406 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ns1.psin.org - - [10/Apr/2012:14:32:14 +0200] "GET /admin/sqlpatch.php/password_forgotten.php?action=execute HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
174.37.59.210-static.reverse.softlayer.com - - [10/Apr/2012:14:32:29 +0200] "POST /admin/product.php/password_forgotten.php?action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
174.37.59.210 - - [10/Apr/2012:14:32:47 +0200] "POST /index.php?main_page=site_map/admin/product.php/password_forgotten.php?action=new_product_preview HTTP/1.1" 406 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
174.37.59.210-static.reverse.softlayer.com - - [10/Apr/2012:14:32:48 +0200] "POST /admin/product.php/password_forgotten.php?action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
62.242.64.212 -

**RodG** · 18 Apr 2012, 02:56 AM

Originally Posted by Enpeek

can anyone tell me if this is a try to hack my site??

Yes, it is someone trying to hack you, but its nothing to worry about, people try to hack websites ALL THE TIME. A popular site could get as many as 10,000 or more *attempted* hacks day.

It is no different than crims roaming the streets checking peoples doors to see if they've left them unlocked. No harm is done as long as the doors are locked. The only people that need worry are those that don't lock their doors.

In the case of websites, the only people that need to worry about these attempts are those that don't keep their software up to date.

The only way to stop the attempts is to not have a website in the first place.

Cheers
Rod

ps. The "404"'s in each of those lines is your server telling the would be hacker that the page they are attempting to load doesn't exist.

**Enpeek** · 19 Apr 2012, 01:27 AM

Originally Posted by RodG

Yes, it is someone trying to hack you, but its nothing to worry about, people try to hack websites ALL THE TIME. A popular site could get as many as 10,000 or more *attempted* hacks day.

It is no different than crims roaming the streets checking peoples doors to see if they've left them unlocked. No harm is done as long as the doors are locked. The only people that need worry are those that don't lock their doors.

In the case of websites, the only people that need to worry about these attempts are those that don't keep their software up to date.

The only way to stop the attempts is to not have a website in the first place.

Cheers
Rod

ps. The "404"'s in each of those lines is your server telling the would be hacker that the page they are attempting to load doesn't exist.

really my site is now broken and it takes 5minutes to load,

now it says in the right banner side

1 Can't create/write to file '/tmp/#sql_2ea1_0.MYI' (Errcode: 24)
in:
[select banners_id, banners_title, banners_image, banners_html_text, banners_open_new_windows, banners_url from banners where status = 1 and ( banners_group = 'BannersAll') order by rand()]

**DrByte** · 19 Apr 2012, 03:50 AM

Originally Posted by Enpeek

1 Can't create/write to file '/tmp/#sql_2ea1_0.MYI' (Errcode: 24)
in:
[select ...... from banners ...]

Any errors mentioning a .MYI file suggest that your database server is having problems. That's in the realm of your hosting company's responsibilities. You should be contacting THEM immediately.

Judging from what you've shared your server probably has a disk-storage problem, a disk space/quota problem, a filesystem permissions problem, etc. That's not something you likely have any control over, since you're not the server's system administrator.

**RodG** · 19 Apr 2012, 05:02 AM

Originally Posted by DrByte

Judging from what you've shared your server probably has a disk-storage problem, a disk space/quota problem, a filesystem permissions problem, etc.

Is it just me, or has anyone else noticed that there seems to have been a rather unusual spike in the number of problems reported lately that appear to be disk related?

If not just me has any other commonality been noticed, such as all being related to the hosting company?

Any thougthts?

Cheers
Rod

**Enpeek** · 28 Apr 2012, 12:16 AM

Okay, im going to install the new version 1.50, is the sercurity much greater?

How good should a hacker be if he wanted to hack a zencart server? :)

**Enpeek** · 28 Apr 2012, 12:23 AM

Yes sorry im still learing ;) they fixed the problem for me, my site is installed on mysql 4.0. My costumers data are stored in that right?

can is extract the data from 4.0 to the 5.1? if yes is it easy

thanks for response

Best regards
DanielSAN

**RodG** · 28 Apr 2012, 03:44 AM

Originally Posted by Enpeek

Okay, im going to install the new version 1.50, is the sercurity much greater?

It's a lot greater than V1.3.8.
V1.3.9 is still known to be secure, so this is a difficult question to answer.

Besides, security is hard to quantify in this manner.

Originally Posted by Enpeek

How good should a hacker be if he wanted to hack a zencart server? :)

This is a bit of a trick question. Much depends on your definition of a hacker.

Code vulnerabilities can be found either by accident (no skills needed), or it could take many days, months and even years for a good hacker to actively seek and find a weakness in their targeted system.

What most people consider to be 'hackers' are nothing more than 'script kiddies'. These people do little more than use code that has been created by a 'real' hacker. and run that code against a vulnerable target. Skill level needed.. zero.

A good hacker will leave little or no evidence that their target site has been hacked.

A script kiddy generally doesn't even attempt to hide their tracks. Many do it simply for 'bragging rights' to show their peers how 'good' they are <cough, cough>.
Others do it simply to be destructive. Again, no skills required.

One of the reasons that zencart V1.3.8 is considered to be so vulnerable, isn't just due to the weakness(es) itself, but the fact that the scripts to do so are easily and readily availble from many sources on the web.. If that isn't bad enough in itself, the scripts and vulnerabilities are both so well known among both the 'black hats' and the 'white hats', that these are actually used for 'training' purposes for both the good guys and the bad. (Important: zencart V1.3.8 isn't alone in this, but it is in the top ten). Anyway, this is why no one should be using V1.3.8 these days.

Cheers
Rod

**RodG** · 28 Apr 2012, 03:51 AM

Originally Posted by Enpeek

im still learning ;)

Me too, and I hope to continue do so for as long as I live. :)

Originally Posted by Enpeek

they fixed the problem for me, my site is installed on mysql 4.0. My costumers data are stored in that right?

Yes, and your products, configurations, and other stuff.. The database is the 'heart' of the store.

Originally Posted by Enpeek

can is extract the data from 4.0 to the 5.1? if yes is it easy

Almost every host has a program called 'phpmyadmin' installed for their clients use. One of the things this software can do is export/import data into different (SQL) databases. Since the export data little more than plain text, it works for all SQL versions.

Yes it is easy, but you will need to spend a little time learning your way around things. There are many tutorials and forum theeads that discuss this in detail.

Cheers
Rod