Wha' Happened?


#1

My stats show use from a user named ‘bogus,’ along with my own username. Have I been hacked? Should I be worried?


#2

It depends on the URL, of course.

An HTTP URL can be of this format:

http://username@hostname:port/path

Thus when the username@ part is present, the logs will shows “username”. If it is not present, the logs will show “-” instead.

The username is also specified for HTTP Authentication in the request headers.

To determined if someone gained unauthorized access (“hacked”) obviously would one need to check what the URL was, if HTTP Authentication should have been required for that URL, and if someone managed to obtain a valid username and password somehow.

You have not provided enough information to determine if someone gained unauthorized access. Someone familiar with HTTP and your website would need to investigate. Or at the very least, dig out the lines from your Apache log files that specifiy “bogus” (in quotes) and either post them here or send them by private message to me.

:cool: Perl / MySQL / HTML+CSS


#3

I should clarify: It’s not a referrer I’m talking about. It’s a “user.” Is filed under “User Report” in the stats. When I access my site through ftp, this is where it shows up.

There’s no URL, just username ‘bogus.’

Know what I mean?


#4

I suspects you’re talking about a wayward HTTP auth user showing up. You have any password protected directories on your site? Might want to look into what users are allowed in those directories.


#5

That is EXACTLY what I was talking about. Users have names, hence username.

If you have password-protected directories, this is done using HTTP Authentication, and the web server will record the username in the logs.

OK I did some checking, it seems the username is recorded in the logs only if it the resource requested was password-protected. Besides password-protected directories, keep in mind that things like the stats page, phpMyAdmin (database user), and others also use HTTP Authenticaion, so this “bogus” user could be from one of those.

From Apache HTTP Server - Log Files:

““This is the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this entry will be “-” …””

Here is how one tests this:

  1. Try to access a page that is password-protected.
  2. Type in a username that is not valid in the login dialog box.
  3. When the login dialog box appears again, click Cancel and you should see the “401 Authorizard required” error page.

Next open your access.log file

You will now have two entries:

address - username[timestamp] "GET Request-URI HTTP/1.1" 401 n "Referrer" "User-Agent" address - username[timestamp] "GET Request-URI HTTP/1.1" 401 n "Referrer" "User-Agent"

  1. address will be your IP address or hostname
  2. username will be the fake username you typed
  3. Request-URI is the page you were trying to access
  4. 401 was the status code

And you have two entries because the first one is was when you first requested the page. The browser saw the 401 code, and since it didn’t already ask you for a username, shows the login box. The second entry is when the browser requests the page again, but sends the username you typed. The username is not valid, so the error code will again be 401.

:cool: Perl / MySQL / HTML CSS