: Garbled text in server logs I recently looked over my server's logs and I found a bunch of garbled text. Here is a link to the full log, and here is a snapshot of what it looks like: ¹^œÌÓûFF™ÃŒ-ôÚÏàÃÒNR
I recently looked over my server's logs and I found a bunch of garbled text.
Here is a link to the full log, and here is a snapshot of what it looks like:
¹^œÌÓûFF™ÃŒ-ôÚÏàÃÒNRs§cÝi ~F#J"|³Ôq0ã~QQbA ¼¹¦’š¶É3œßå<ú€Ç©XAwdL?R°ÝbÒt©ôÇ·Æ…÷q˜ÇѺ| Þ,߯¡Êr yR¤Q¹Jêlš‘AzP ¦ÂY„ÉÉ,æ™ U™»ì³ÔÝáCÿ42‹Ö.nŽÉ2%ÓN8i4Œ®¿‘•"-se•äŽ¿ÊÁ§€þ 8åv%'#Äpžs/ÙÍ:¡1ÑÖÃå ºu|Q®!ÏyÆ,NR@¶ËȯRDkã=ÿÀܸ ›¼Ô ’ð>ÓÌBftdÃ8–é}‰[øbãÝÁ嘲b¾W n´tTœpäNëëÔ ·RUÓP+ÅuKÁ£¬âÌ®:J<ÍÁ0:Q%ª(Œ˜E-ÁI:ï™4®hæœT†«);°Çda@´#èì}‡£ü•{57ý]¼|øÓñð÷ÈÌð‡MkŠâ•C~$Óô#ÙV¾Núå.#Á]vôžóæ» V&8)%øVSž“±ÔQLåÓý1–ŽÃßQ$¹ýž")ÈûQcÄý_ÔüGP=s‹vq#Pmoo.tigertutorialscomµÐOKÃ0ð»Ÿâ‘ØH“
What is this? and is someone trying to do something to my website?
More posts by @Looi9037786
2 Comments
Sorted by latest first Latest Oldest Best
The actual Ezooms bot seems fairly legit: user-agent-string.info/list-of-ua/bot-detail?bot=Ezooms
However, this is most-likely the result of some kind of hack attempt. But here are a few observations:
The last few coherent log entries show Ezooms requesting robots.txt, and then making the "questionable" request almost an hour later. So, why does a malicious bot need robot.txt? And why wait so long if this is just a hack attempt? And why use such an obscure user agent string? Why not blend in with all the regular desktop clients or the Google bot?
The Ezooms bot requests come from Wowrack.com's net block. Which suggests this is likely the real Ezooms bot.
The binary data looks like it could be a gzip file (maybe a phpshell-type backdoor), as 1F 8B 08 08 F9 is the gzip header.
Shortly after the zip header, you have the original filename, which seems to be "tigertutorialscom". Tigertutorials.com just so happens to be another site hosted off of the same IP as your website, and it seems to have a pretty severe security flaw.
Most probably, the other site got compromised due to bad server-side coding, and then your account was compromised due to poor web server configurations. Ezooms probably has nothing to do with it.
If your logs continue to be corrupted like this, try to make quarter-hourly backups to a separate location or email them to yourself, so you can see what the logs looked like before it was overwritten.
I'm too lazy to do this (I don't think pastebin is binary-safe, and the line breaks seem to have been stripped from the log data anyway), but you should be able to extract the binary data from the log file and see if it's a valid gzip file, and, if it is, see what its contents are.
In any case, you should probably treat your site/web hosting account as if it's compromised at least until your web host can explain how your log file ended up like that. If they can't, you might consider switching web hosts.
I would be suspicious:
208.115.113.90 - - [09/Aug/2012:00:58:17 -0400] "GET /?p=unauthmanagement HTTP/1.0" 200 8998 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" ‹ùU#Pmoo.tigertutorialscom
First: GET /?p=unauthmanagement
What is this? Does this page exist? "unauthorized management" could be a script that someone uploaded to do malicious things to the server.
Second: compatible; Ezooms/1.0; ezooms.bot@gmail.com
There are lots of comments on this bot from people who have seen it in the past. See here: www.spambotsecurity.com/forum/viewtopic.php?f=43&t=784
On the off-chance someone breached your server, and (intentionally) garbled the logs like that, you'd want to investigate this.
Or, maybe your logs got corrupted from size, I don't know. I've seen that happen in the past on older servers being used not for what they were intended (10 gigabyte/day logs). Did maybe you change the character encoding of your log file by accident? Did the server shut down while it was writing the logs?
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.