My forum is quite popular so i'm a bigger target to a lot of people so I'm sure it wouldn't be used on just anybody.
- - - Updated - - -
I been following the logs the past few days with the specific browser tag given its rather unique and i notice that the browser matches up with a specific person trying to access the arcade a lot but keeps being redirected. I'm still positive this came from arcade.php given this is the only URL they were accessing and somehow managed to obtain the key required to forcefully reset the password.
- - - Updated - - -
here is the ip log for that person again today
His first access to the forum is directly going to arcade.php again.
- - - Updated - - -
I been following the logs the past few days with the specific browser tag given its rather unique and i notice that the browser matches up with a specific person trying to access the arcade a lot but keeps being redirected. I'm still positive this came from arcade.php given this is the only URL they were accessing and somehow managed to obtain the key required to forcefully reset the password.
Code:
root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 200.61.162.246 - - [23/Jan/2013:11:19:28 +0000] "GET /f459/ep8-server-files-db-justin-905705/index23.html HTTP/1.1" 200 25757 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index22.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 186.215.116.36 - - [23/Jan/2013:12:01:56 +0000] "GET /f563/windows-7-serial-keys-x0x-746813/ HTTP/1.1" 200 12735 "https://www.google.com.br/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 200.61.162.246 - - [23/Jan/2013:12:19:34 +0000] "POST /ajax.php HTTP/1.1" 200 134 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index23.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 200.61.162.246 - - [23/Jan/2013:13:19:34 +0000] "POST /ajax.php HTTP/1.1" 200 135 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index23.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET / HTTP/1.1" 200 11454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:10 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:11 +0000] "GET / HTTP/1.1" 200 11454 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:19 +0000] "GET /f71/ HTTP/1.1" 200 13239 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET / HTTP/1.1" 200 11457 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:35 +0000] "GET /raffles.php HTTP/1.1" 200 6823 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET / HTTP/1.1" 200 11464 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 90.185.88.194 - - [23/Jan/2013:21:44:04 +0000] "GET /f563/windows-7-serial-keys-x0x-746813/ HTTP/1.1" 200 12734 "https://www.google.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
here is the ip log for that person again today
Code:
root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep "91.236.116.142" 91.236.116.142 - - [23/Jan/2013:14:19:47 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 301 26 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0" 91.236.116.142 - - [23/Jan/2013:14:19:48 +0000] "GET / HTTP/1.1" 200 11391 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0" 91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET / HTTP/1.1" 200 11454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:10 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:11 +0000] "GET / HTTP/1.1" 200 11454 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:19 +0000] "GET /f71/ HTTP/1.1" 200 13239 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET / HTTP/1.1" 200 11457 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:35 +0000] "GET /raffles.php HTTP/1.1" 200 6823 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:14:20:56 +0000] "HEAD /arcade.php HTTP/1.1" 301 0 "-" "curl/7.26.0" 91.236.116.142 - - [23/Jan/2013:14:21:03 +0000] "HEAD /afds.php HTTP/1.1" 301 0 "-" "curl/7.26.0" 91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" 91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET / HTTP/1.1" 200 11464 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4" root@dmca [/home/domain/access-logs]#
Comment