There is a malicious user on this forum.

[maurd]

Hello, today a user from this forum tried to access my vShare installation. They failed, however I felt I should alert the community of it.

I'm attaching the log files. As you can see, a user from this forum found my vShare installation through my showcase thread (here) through the referrer information. The malicious user's IP is 71.56.249.217 and it resolves to Denver, CO in the US: 71.56.249.217/c-71-56-249-217.hsd1.co.comcast.net IP Address WHOIS | DomainTools.com

Luckily I protect my Admin CP using password-protected .htaccess file.

Code:

xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:29:07 -0500] "GET / HTTP/1.1" 302 512 "http://forums.buyscripts.in/showcase-your-site/9277-beercandle-videos.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:52:18 -0500] "GET / HTTP/1.1" 302 512 "http://forums.buyscripts.in/showcase-your-site/9277-beercandle-videos.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:52:18 -0500] "GET / HTTP/1.1" 200 10754 "http://forums.buyscripts.in/showcase-your-site/9277-beercandle-videos.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:52:22 -0500] "GET /admin HTTP/1.1" 401 644 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - admin [26/Oct/2011:00:52:27 -0500] "GET /admin HTTP/1.1" 401 180 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:52:30 -0500] "GET / HTTP/1.1" 200 5844 "http://forums.buyscripts.in/showcase-your-site/9277-beercandle-videos.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_access_log:71.56.249.217 - - [26/Oct/2011:00:52:30 -0500] "GET /recent_viewed_xml.php HTTP/1.1" 200 532 "https://video.beercandle.com/player/recent.swf" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
xxx_error_log:[Wed Oct 26 00:52:27 2011] [error] [client 71.56.249.217] user admin not found: /admin

[hostonnet]

He tried to access your admin page. Many do this, just accessing a page is not hacking attempt. Do you have admin folder password protected with .htaccess ? You can limit admin folder access to your IP using .htaccess like

Code:

order deny,allow
deny from all
allow from YOUR_IP_HERE

[maurd]

Yes, my /admin is protected with .htaccess. But still, what use does someone have trying to access your /admin if it's not for malicious purposes? I surely don't go around trying to access the admin panels of websites I do not own.

You can remove this thread if you want... :-)

[hostonnet]

I had tried to access admin folder of some sites, just to see what cms/software the site is using. If he was trying to hack, he would have lot of access logs. Many POST, GET, sql injection in logs etc..

[maurd]

Fair enough.

I think I overreacted. You can remove this thread hostonnet. :)

Thank you.