In the Apache logs, requests like "GET auth.mail.ru:80/cgi-bin/auth?Login=jah***@inbox.ru" What should I do?

S

sav66222015-06-16 23:19:54

Information Security

sav6622, 2015-06-16 23:19:54

GET http://auth.mail.ru:80/cgi-bin/auth?Login=jah***@i... HTTP/1.0
In the logs I see several dozens (maybe hundreds) of similar requests... to mobile our site has nothing to do with it, at the same time there is a SYN attack going on... it looks like somewhere hacked or an android application or something similar... or even an accident...
Passwords and logins, of course, are available in clear text...
What should I do?
PS As a result, the head of the mail.ru security group contacted me, and suggested that the address of our server in March 2015 and later was on the list
of proxies. We do not find traces of any redirect on port 80, perhaps we got into the lists by accident.
Can anyone tell me what " Gscraper proxies " is? some nonsense is going on...

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Viktor Koltcov, 2015-06-17
@Vityarik

Write to the mail whose addresses you receive, where they indicated their address and password recently.

S

Sergey N, 2015-06-18
@Albibek

Most likely you have been hacked, probably installed a module for apache. Judging by the mention of gscraper, a module is installed that can become a proxy for www.gscraper.com (automatic search for these proxies is mentioned in the features there). Actually, this is how your server is apparently used - as a proxy to hide their actions.
It's hard to say what to do without more information. It is necessary to find out what was installed and how, and in general, whether it was installed. I would start by checking the host via rkhunter, chkrootkit, checksumming files from packages.