Have I been hacked?

I'm experimenting with accessing my arduino via the web and am using Apache. I messed up and left my server running for a few days...my computer is connected to the web via a router with windows firewall also running but nothing substantial in the way of security.

I pulled my access log today and noticed some suspicious activity and I don't know if someone tried or successfully hacked my computer.

Can anyone offer advice? - - [21/Jan/2010:05:03:53 -0500] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 234 - - [21/Jan/2010:05:03:54 -0500] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 227 - - [21/Jan/2010:05:03:54 -0500] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 229 - - [21/Jan/2010:05:03:54 -0500] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 231 - - [21/Jan/2010:05:03:55 -0500] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 229 - - [21/Jan/2010:05:03:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 236 - - [21/Jan/2010:05:03:55 -0500] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 231 - - [21/Jan/2010:05:03:55 -0500] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 234 - - [21/Jan/2010:05:03:56 -0500] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 234 - - [21/Jan/2010:05:03:56 -0500] "GET //config/config.inc.php?p=phpinfo(); HTTP/1.1" 403 223 - - [21/Jan/2010:05:03:56 -0500] "GET //phppgadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 403 227 - - [21/Jan/2010:05:03:57 -0500] "GET //phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 403 228 - - [21/Jan/2010:05:03:57 -0500] "GET //phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 403 228 - - [21/Jan/2010:05:03:57 -0500] "GET //mail/config.inc.php?p=phpinfo(); HTTP/1.1" 403 221 - - [21/Jan/2010:05:03:57 -0500] "GET //webmail/config.inc.php?p=phpinfo(); HTTP/1.1" 403 224 - - [21/Jan/2010:05:03:58 -0500] "GET / HTTP/1.1" 403 202 - - [21/Jan/2010:13:42:40 -0500] "GET http://www.droog.com/contents/products/multibox/touch_wood_01.jpg HTTP/1.1" 403 246

I ran a whois on the two listed IPs and they both came back to RIPE network overseas. Rather worrisome. I do keep sensitive data on this machine. Is there anyway to tell if anything outside my server's root directory was accessed?

We get that sort of stuff regularly. I'm surprised something more dangerous (like the Morpheus Effin Scanner) hasn't come knocking. It's the price you pay for connecting a computer to the internet. Our ISP has started probing as well; presumably to ensure there isn't a weakness that would compromise their equipment.

I do keep sensitive data on this machine

Keeping a web server safe is a difficult task; certainly beyond my skill and patience. If you're uneasy about simple probes I respectfully suggest that you keep sensitive data off your web server.

If you don't have that option and you're using Windows, run Apache under a very restricted user account (no access outside the Apache folder; read-only access in the folder; every file access logged).

I ran a whois on the two listed IPs and they both came back to RIPE network overseas

Fortuna Graphic A/S in Denmark and ADDIO Ltd. in Latvia. If you have the energy, contact them and their ISP about the problem. I gave up long ago. It just isn't worth the effort.

Is there anyway to tell if anything outside my server's root directory was accessed?

It's my understanding that the default installation of Apache is very secure. Have you made configuration changes? Have you enabled PHP?

Thanks for the help! PHP is also installed...install was done with the WampServer.

PHP is also installed

That's probably the biggest risk. PHP allows external programs to be run which could give a hacker access to the computer. I believe those features are disabled by default.

install was done with the WampServer

Never used it.

That’s a pretty standard scan for vulnerabilities in phpMyAdmin. This MySQL management tool can be cheesecloth at times. It looks like they’re trying to invoke phpinfo() to see what versions and modules you’re running. In the sample entries shown, you were serving “403 forbidden” responses. If it was showing “200 OK” responses, that would indicate they successfully contacted something. See the below link for decyphering “common log” entries


Not sure how up-to-date WampServer is kept, but on LAMP, patching Apache and PHP is a continuous process. Check in regularly for updates and get acquainted with their installation. Personally, I would kill phpMyAdmin or limit it to localhost access only.

I can pretty much tell what the exploit of the moment is by these kind of probe entries in the log. The last WordPress black hole generated a pretty good torrent of traffic.

This is nothing to worry about, as long as you keep your software versions up to date. Basically there are worms that scan as many computers round the net as they can, trying known vulnerabilities to get into systems. It's all done by trial and error, and it's surprising how many computers they can actually get into, as nowhere near as many people apply patches as they should and keep their software up to date.

As a result, any device connected to the net will be scanned on a daily basis by various worms etc, and you can see similar in pretty much any log file of a device left connected to the net for a couple of days. Ip's are scanned in numerical order, they aren't targeting you specifically.

As long as you install security patches / upgrades as they are released you should be pretty well protected (although nothing is 100% secure).

Wow, great info guys! THank you!