How to secure my shared server

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

How to secure my shared server

Post by lagosboy on Tue Feb 18, 2014 6:18 am
([msg=79534]see How to secure my shared server[/msg])

Soo sorry to disturb you...

I currently work as a developer and I have little or no knowledge of security... This attack has been on for over a week and the hacker seems sponsored to push me out of work. He keeps defacing my index file... and my hosting company isn't giving me the required support. I'll appreciate whatever support you can render...
I have some access logs but I have little idea on how to interpret and how to use this log to prevent future access...

Here's some of the logs I found:


41.203.67.136 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/admission/passports/39165996FC.jpg HTTP/1.1" 304 161 "http://www.website.com/portal/admission/biodataprint.php" "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6608 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7115 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6672 "\\" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7120 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 11206 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7161 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6672 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7133 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7133 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6672 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7126 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:14 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7160 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7100 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7154 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/nuc/admin/ HTTP/1.1" 200 6839 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
105.112.8.14 - - [17/Feb/2014:05:01:14 -0700] "GET / HTTP/1.1" 200 298 "-" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"
41.75.85.126 - - [17/Feb/2014:05:01:14 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6672 "-" "index.php/."
41.75.85.126 - - [17/Feb/2014:05:01:13 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7161 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "/../..//../..//../..//../..//../..//etc/passwd%00.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6589 "1\xc0 xa7\xc0\xa2" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" ".\\\\./.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./etc/passwd"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7087 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7102 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7044 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7115 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6608 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7089 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7076 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7182 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6672 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7308 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7115 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7312 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
185.26.180.61 - - [17/Feb/2014:05:01:15 -0700] "GET /portal/admission/login.php HTTP/1.1" 200 9526 "http://www.website.com/portal/admission/index.php" "Opera/9.80 (BlackBerry; Opera Mini/7.1.33551/34.1244; U; en) Presto/2.8.119 Version/11.10"
41.75.85.126 - - [17/Feb/2014:05:01:16 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6649 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:16 -0700] "POST /portal/nuc/admin/ HTTP/1.1" 200 6971 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "/etc/passwd"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7034 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "@@uxcbN" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd"
185.26.180.61 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/SpryAssets/SpryValidationTextField.js HTTP/1.1" 200 75539 "http://www.website.com/portal/admission/login.php" "Opera/9.80 (BlackBerry; Opera Mini/7.1.33551/34.1244; U; en) Presto/2.8.119 Version/11.10"
185.26.180.61 - - [17/Feb/2014:05:01:20 -0700] "GET /portal/admission/images/login.jpg HTTP/1.1" 200 26763 "http://www.website.com/portal/admission/login.php" "Opera/9.80 (BlackBerry; Opera Mini/7.1.33551/34.1244; U; en) Presto/2.8.119 Version/11.10"
185.26.180.61 - - [17/Feb/2014:05:01:20 -0700] "GET /portal/SpryAssets/SpryValidationTextField.css HTTP/1.1" 200 3311 "http://www.website.com/portal/admission/login.php" "Opera/9.80 (BlackBerry; Opera Mini/7.1.33551/34.1244; U; en) Presto/2.8.119 Version/11.10"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7101 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7079 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7057 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7105 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7082 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:18 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6608 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7111 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7056 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
105.112.8.14 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/ HTTP/1.1" 200 6923 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6608 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7309 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:19 -0700] "POST /portal/nuc/admin/ HTTP/1.1" 200 6972 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:17 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7107 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
185.26.180.61 - - [17/Feb/2014:05:01:22 -0700] "GET /portal/images/important.png HTTP/1.1" 200 64066 "http://www.website.com/portal/admission/login.php" "Opera/9.80 (BlackBerry; Opera Mini/7.1.33551/34.1244; U; en) Presto/2.8.119 Version/11.10"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7289 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7300 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6615 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:20 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6615 "http://www.website.com/" "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd"
41.75.85.126 - - [17/Feb/2014:05:01:20 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6615 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "JyI=" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7280 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7320 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7310 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7291 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:19 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:22 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 200 6802 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:21 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7129 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:22 -0700] "POST /portal/nuc/admin/ HTTP/1.1" 200 6970 "http://www.website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:22 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7302 "http://website.com:80/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:23 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7098 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:24 -0700] "POST /portal/admission/admin/ HTTP/1.1" 200 7261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"
41.75.85.126 - - [17/Feb/2014:05:01:26 -0700] "GET /portal/nuc/admin/ HTTP/1.1" 406 432 "http://www.website.com/" "file:///etc/passwd"
lagosboy
New User
New User
 
Posts: 3
Joined: Tue Feb 18, 2014 5:49 am
Blog: View Blog (0)


Re: How to secure my shared server

Post by 0phidian on Tue Feb 18, 2014 11:27 am
([msg=79537]see Re: How to secure my shared server[/msg])

From just this log it looks like they are trying to find a vulnerability in your site that would display /etc/passwd.
Code: Select all
../../../../etc/passwd

ie this^ with different variations using hex encoding, null bytes, and escape characters.
So if you have some code that reads from a file on the server, he is trying to manipulate it in to reading other files like /etc/passwd. Although, since it is a hosted server, your code shouldn't have permission to read that file anyways so I would assume the attacker is failing at this.

I'm guessing they use a similar exploit to deface your index page. If you have code that writes to a file they are probably using it to overwrite your index page. It is hard to tell with just these logs. To know for sure we would need more info. Source code would be helpful or permission to test your site, if your are comfortable with that.
User avatar
0phidian
Poster
Poster
 
Posts: 277
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: How to secure my shared server

Post by -Ninjex- on Tue Feb 18, 2014 12:21 pm
([msg=79538]see Re: How to secure my shared server[/msg])

The attacker seems to be using directory traversal attacks (Like Ophidian mentioned) to overwrite the content of the index.html file.
I see from the header requests, that this information is POST/GET data, meaning it's being sent from a form somewhere more than likely.
Figure out what form the attacker is using, start logging IP addresses, read up on preventing directory traversal, and make sure you are stripping any information that could be malicious content, i.e. '../../' If you are using PHP, there are a bunch of nice methods for things like this, such as mysqli_real_escape_string
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: How to secure my shared server

Post by lagosboy on Tue Feb 18, 2014 4:30 pm
([msg=79543]see Re: How to secure my shared server[/msg])

Ninjex and 0phidian I really appreciate your response... I've started reading up on file transversal and I've also changed folder permission on my public_html folder and some other folders on my control panel... I use php and I strip_tags and trim functions. My typical login form looks like this but I must confess that I introduced the strip_tags() after the attacks started. I'm currently being hosted by bluehost and Ophidian the website is http://www.oouagoiwoye.edu.ng, the hackers seem to be familiar with the hosting company as they posted their hacks on http://www.zone-h.org/archive/notifier=Hmei7... Ever since the first attack, there has been several others within the group... the most persistent signature is BJGABBY, He's also on zone-h.org
Code: Select all
<form action="" method="post">
<?php
if (isset($_POST['submit'])){
   $matric = strip_tags(trim(strtoupper($_POST['matric'])));
   $sname = strip_tags(trim(strtoupper($_POST['sname'])));
   $sql = mysql_query("select * from biodata where matric = '$matric' && sname = '$sname'");
   //$result = mysql_fetch_array($sql);

   if (mysql_affected_rows() == 1) {
      //session_start();
      $_SESSION['mat'] = $matric;
      ?>
        <script language="javascript">
         alert("Welcome <?php echo $matric ?> ");
         document.location = "biodata.php";
      </script>
        <?php
      
      
      //echo "Login successful";
   } else {
      echo "Login Failed";
   }
}
?>
</form>




I use this script for my uploads

Code: Select all
<?php
        if (isset($_POST['upload'])){
      $allowedext = array("jpeg", "jpg");
      $tem = explode(".", $_FILES['passport']['name']);
      $ext = end($tem);
      if(($_FILES['passport']['size'] < 2000000) && in_array($ext,$allowedext)){
         if($_FILES["passport"]["error"] == 0){
            
         $pass_loc = 'passports/'.$csn.'.'.$ext;
         move_uploaded_file($_FILES['passport']['tmp_name'], $pass_loc);
            mysql_query("UPDATE biodata SET pass = '$pass_loc' WHERE csn = '$csn'") or die(mysql_error("connection to database failed"));
            //echo $pass_loc;
            //header('location: mem_home.php');
            ?>
                         <script type="text/javascript">
                  alert("IMAGE UPLOADED SUCCESSFULLY");
                  //window.close();
                  document.location.reload();
                  //window.location = "biodataform.php";
                       </script>
                         <?php
            
         
            
         }
         else
         {
            
            echo "Error Code: ".$_FILES["passport"]["error"]. "<br />";
            }
         
      } else
      {
      echo "size or image exceeded";
      }
      }
          ?>




I have some pages that I do use to log sensitive operations... writing to a text file

Code: Select all
<?php
                
if (isset($_POST['submit'])){
   $regnum = strtoupper($_POST['uname']);
   $sname = $_POST['pword'];
   $sql = mysql_query("update login set sname = '$sname' where regnum = '$regnum'");


   if (mysql_affected_rows() == 1) {
         ?>
        <script language="javascript">
         alert("PASSWORD UPDATED SUCCESSFULLY");
         document.location = "dashboard.php";
      </script>
        <?php
      
               
$File = "admin_log.txt";
$Handle = fopen($File, 'a');
$Data = "ADMIN PASSWORD CHANGE BY ".$_SESSION['unam'].": CHANGED ". $regnum. " PASSWORD FROM: ".$rw['sname']." TO: ".$sname." AT ".date("F j, Y, g: i a")." \n";
fwrite($Handle, $Data);
fclose($Handle);
      
      //echo "Login successful";
   } else {
      echo "UPDATE FAILED";
   }
}
?>


I'll appreciate your suggestions and advice as to how best to be secured... I'm learning and I sincerely cherish your taking time off to assist me. God bless you
lagosboy
New User
New User
 
Posts: 3
Joined: Tue Feb 18, 2014 5:49 am
Blog: View Blog (0)


Re: How to secure my shared server

Post by 0phidian on Tue Feb 18, 2014 5:47 pm
([msg=79544]see Re: How to secure my shared server[/msg])

So it looks like they log into the admin page and use something there to overwrite the index. How do they log into your admin panel? because of this http://www.oouagoiwoye.edu.ng/portal/admission/admin/admin_log.txt

This file should not be allowed to be read and probably stored somewhere else.
Also I don't think its a good idea to log the actual passwords in plain text. I would just log if it is changed. You shouldnt need to know what it is changed to if you have access to the db and can just overwrite the hash.

-- Tue Feb 18, 2014 6:44 pm --

Code: Select all
$pass_loc = 'passports/'.$csn.'.'.$ext;

It is possible that they are using a null byte to bypass this. I suggest reading this
User avatar
0phidian
Poster
Poster
 
Posts: 277
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: How to secure my shared server

Post by Quantum_Toilet on Tue Feb 18, 2014 6:55 pm
([msg=79545]see Re: How to secure my shared server[/msg])

0phidian wrote:So it looks like they log into the admin page and use something there to overwrite the index. How do they log into your admin panel? because of this http://www.oouagoiwoye.edu.ng/portal/admission/admin/admin_log.txt

I've been following this thread with interest and I just wondered: How did you find that? I already tried the usual (searching for, say, "admin site:http://www.oouagoiwoye.edu.ng/"), but that did not yield anything useful.

Anyway, yeah, plain text passwords are a pretty big risk. And even without those, your admin log should probably be stored outside your server root. Sure, you could make it so that you simply can't access it from the web, but there is really no reason for it to be stored there.

Also, you appear to be checking for file type by checking the extension which just doesn't work 'cause you could easily just pass off anything as a ".jpg" file, including harmful executable code. Probably not what happened here, but best to clean that up.
It's best to use imagecreatefromjpeg for that. 'cause what it does is try to create a valid image from the file and returns false if it's unable to (meaning: if it's not a jp(e)g). You don't even have to do anything with the image that the function returns, you just need to make sure that it's not false.
You're gonna need GD for that, but from what I've seen, any other methods (extensions, finfo_file) can be tricked pretty easily.
Quantum_Toilet
New User
New User
 
Posts: 3
Joined: Mon Feb 17, 2014 5:39 pm
Blog: View Blog (0)


Re: How to secure my shared server

Post by 0phidian on Tue Feb 18, 2014 8:17 pm
([msg=79546]see Re: How to secure my shared server[/msg])

Quantum_Toilet wrote:
0phidian wrote:So it looks like they log into the admin page and use something there to overwrite the index. How do they log into your admin panel? because of this http://www.oouagoiwoye.edu.ng/portal/admission/admin/admin_log.txt

I've been following this thread with interest and I just wondered: How did you find that? I already tried the usual (searching for, say, "admin site:http://www.oouagoiwoye.edu.ng/"), but that did not yield anything useful.


I just saw the file was written to in the code and checked the directories for it. 'admin_log.txt' would be easy to guess though. Perhaps the attackers have script that crawls the site looking for files like this. It could also be found via an exploit that would give a directory listing or such.
User avatar
0phidian
Poster
Poster
 
Posts: 277
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: How to secure my shared server

Post by lagosboy on Wed Feb 19, 2014 6:47 am
([msg=79554]see Re: How to secure my shared server[/msg])

Thanks so much for your help... I've been reading materials on directory transversal since yesterday when you raised it as a possible source of the attack. The hacker was still able to break in and I'm suspecting that there's a major security hole with my hosting company "bluehost". I'll like to know how I can secure my database and other file inclusions, at the moment this is what I use for db:
Code: Select all
<?php include ("dbconfig.php"); ?>


img
Code: Select all
<img src="<?php if (empty($rw['pass'])) {
           echo "passports/default.png";
        } else {
           echo $rw['pass'];
           }
           ?>" alt="Passport" width="150" height="150" align="middle" />

...and other file includes to prevent it from used as a gateway for the transversal and also how can I prevent a hack through images being fetched from the folders. would the realpath() php function come in handy here? and probably having to
lagosboy
New User
New User
 
Posts: 3
Joined: Tue Feb 18, 2014 5:49 am
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests