Malicious page call?

Today for the second time (that I’m aware of) my site has received odd page calls, and I would like to know if this looks like something malicious that needs attention.

The requested addresses were:


http://mydomain.com/sheetmetel/wobbles.php?sheme=27&redirect=webcontrol1.net%2Fcheck%2Fweb.cgi&dgen=openmonitor1.net%2Fgenerator_root_1%2Fgenerator.php&secvalue=b651b3a917de86bfd567093f55691dff&cached=true&remove_file=true

http://mydomain.com/sheetmetel/wobbles.php?sheme=27&redirect=http%3A%2F%2Fwebcontrol1.net%2Fcheck%2Fweb.cgi&dgen=http%3A%2F%2Fopenmonitor1.net%2Fgenerator_root_1%2Fgenerator.php&secvalue=b651b3a917de86bfd567093f55691dff&cached=true&remove_file=true


I’ve never had anything at my site remotely like “sheetmetel”. A few days ago I got a similar call (which had “sheetmetel”), but without the appended part of the address (after the “?”).

The lookup showed the IP to be in Germany. The earlier one was listed in Holland. A search on the earlier IP revealed that the site had crashed that day and was considered by some people (at a forum) to be unreliable.

My site is only for very limited private use, still in early development, not intended for any public access, marked “no index” in the robot.txt and all the file headers; and to my knowledge the domain hasn’t been cited anywhere in the internet.

I’m wondering if this looks like something malicious that calls for some kind of action. Could a page call like this cause a problem? Is my domain name being used (via redirection) for hacking? I don’t know how to read those appended parts, and wonder if they’re some sort of script. And I wonder about that ending “remove_file=true”.

Is this something my host company would want to know about?

I’ve blocked the IPs but of course a hacker would be using various IPs, so the block seems unlikely to do much.

Thanks for the guidance.

Andante,

Malicious? Worse than that, it’s apparent that you’ve been hacked (to add sheetmetal/wobbles.php to your files) and are being used as a bot to attack other sites.

  1. USE a STRONG password (http://strongpasswordgenerator.com/) and change your passwords for your control panel and for your FTP (upload). Then be sure that you don’t include file uploads to this server without significant testing of the file before moving it into the webspace (where it can be accessed by the world).

  2. THEN DELETE everything at your site and reload with your master copy (from your computer which, presumably, is safely behind strong passwords, firewall, etc.).

  3. Contact your host and advise him of the attack (because this access could have propagated throughout their server rack). If they access your log records, they could start to trace this attack with the authorities.

Regards,

DK

Thanks for this. I’ve written to my host and am awaiting reply.

I’m a little confused here, because there’s no such file in my site (not that I can see), and those two page calls came in only one time each (on top of five earlier calls the other IP), and they’re both marked in my Latest Visitors log as Http Code 404, which as I understand it means they got “no such file found”, meaning the server returned my 404 response, which is just one image on an otherwise blank page, no text, no links.

My site is small enough, and has low enough traffic, that I would almost surely be able to spot anything that I didn’t put there myself or that showed unusual access or bandwidth — and I don’t see anything like that. The site has no real access to “the world” because its index page is just a picture with no text or links, and the only way anything else can be viewed is by knowing the directory names, and I can see all that access, and it’s all normal.

Aside from those specific odd page calls, there’s no access to my site that I’m not well familiar with. The IPs are all friends I know well.

Am I missing something?

Thank you.

Andante,

No, I was missing something. The additional information indicate that someone was looking for that file as they believe they have a number of them “in the wild” and needed a “bot” to run some task for them. Translated, that means that, if you can confirm online that the file is not there, only the password upgrade is needed (to ensure that the file remove at the end didn’t delete it after the the damage had been done to someone else … from your server). If they can upload it once, they could upload it whenever necessary unless you’re properly protected.

I’m glad that this was only a scare (one can hope that’s all it was).

Regards,

DK

DK -

Whew! Thanks so much. I’ve changed the password, and looked through my files again and found nothing wrong in public_html or public_ftp. I’ve also notified the host in case they want to check elsewhere in their system.

Whatever else this is, it’s good learning. I’m new to this kind of thing, and it’s surely something anyone with a site should know.

Much appreciated.

Andante,

No worries. That’s what “Whitehat” hackers are supposed to do!

Regards,

DK

Did you ever hear back from the host once you contacted them? and did they do anything to help?

[FONT=Verdana]Hi LucyJW and welcome to the forums.

Do you have a reason for asking those questions? Usually, if it’s more than a month since the last post in a thread, it’s a better idea to start a new one rather than revive the old one.
[/FONT]