IPB related Apache error

[Owdy]

Tons of these:

client denied by server configuration: /home/public_html/forum/cache/df.php

Any ideas what that is`?

[andret]

Care to provide more info?

Do you have access to your apache configs. If yes, hows your <Directory> settings? Any Deny from All that could affect that folder? Do you use htaccess? Could settings in those prevent access?

[Owdy]

I have my own server, but i dont even have forum/cache/df.php file in cache folder :

[Marcher Technologies]

Tons of these:

client denied by server configuration: /home/public_html/forum/cache/df.php

Any ideas what that is`?

at a guess by the really odd filename, and that it is being requested like that, your server config saving your ***.

[Dmacleo]

iirc, and its been LONG time since I saw this error, this MAY help

but just check it out before applying. make sure its not related to recent hacks.

[Marcher Technologies]

shrugs, I said what i did as that is not a file ipb generates or has there, is not native, therefore.....

[Dmacleo]

yeah I just caught that too.

damned nerve meds messed up my eye sight and I missed file name

[Aiwa]

That's not an IP.Board file... That's likely a hack file...

Sounds to me like you've got .htaccess directory execution turned on and it saved you...

[Owdy]

I dont think this is hacking issue. It started right after i moved servers.

[Owdy]

there are htaccess in that folder:

#<ipb-protection>
<Files ~ "^.*.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
    Order allow,deny
    Deny from all
</Files>
#</ipb-protection>

Is that correct? It denies files from that dir.

[Aiwa]

Yup, that's correct. You want that .htaccess file there... It keeps scripts like that ##.php from executing.

[Owdy]

Yep, but that file creates that error. I just wonder what calls that file df.php. They come from so starge ip's

[Thu Dec 06 16:32:45 2012] [error] [client 173.254.28.143] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 16:59:11 2012] [error] [client 122.155.168.150] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:01:57 2012] [error] [client 66.147.244.199] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:06:48 2012] [error] [client 50.97.141.131] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:11:03 2012] [error] [client 94.125.177.150] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:16:52 2012] [error] [client 85.128.250.2] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:18:55 2012] [error] [client 184.107.58.85] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:25:39 2012] [error] [client 69.89.31.87] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:27:26 2012] [error] [client 74.50.8.235] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:39:50 2012] [error] [client 188.165.230.48] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:40:55 2012] [error] [client 91.151.211.1] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php
[Thu Dec 06 17:48:19 2012] [error] [client 134.0.11.137] client denied by server configuration: /home/mysite//public_html/forum/cache/df.php
[Thu Dec 06 17:50:48 2012] [error] [client 69.89.31.135] client denied by server configuration: /home/mysite/public_html/forum/cache/df.php

[Aiwa]

Does the file exist on your server?

Might be hackers trying to hit files on your server just guessing...

[Owdy]

No it does not exist.

[Marcher Technologies]

Does the file exist on your server?

Might be hackers trying to hit files on your server just guessing...

My guess.

No it does not exist.

They think it does, or moreover, are hitting it to try to determine if it is there, i would seriously be certain however that your server is clean, that could very well be a file or a corrupted hook trying to infect the cache/image dirs and spew havoc from there, as this specific one is known to do....

[Owdy]

I forgot, i get same kind errors sometimes also from broken smilies.

Post: http://hoitajat.net/foorumi/topic/2424-laakelaskut-tokkii/#entry33572 , creates this in apache log

[Thu 2012 Dec 06 21:19:14] [error] [client 212.226.56.57] client denied by server configuration: /home/mysite/public_html/foorumi/public/style_emoticons/index.php, referer: http://hoitajat.net/foorumi/topic/2424-laakelaskut-tokkii/

I got those broken smiles because i have converted board. Editing post and saving it fixes it.

Knowing this, that df.php error could be basically anything :(

[Dmacleo]

is df.php a file used in whatever you converted from and is there search/sitemap pointing to it somewheres?

[Owdy]

Nope

[bfarber]

Your server has been compromised, likely due to the issue we patched on November 6th.

I recommend running the IP.Board security center tools to look for suspicious files and remove anything that does not belong. On the upside, as you have .htaccess protection in those directories, the files are not accessible, which is why you're seeing those error messages being logged (this is a good thing in this case).

[Dmacleo]

wonder if the prior board was actually the compromised one. its not mentioned what the board or conversion time was but I wonder if thats what happened.

[Owdy]

wonder if the prior board was actually the compromised one. its not mentioned what the board or conversion time was but I wonder if thats what happened.

No it wasnt, it was many years ago. It was SMF

[Owdy]

Your server has been compromised, likely due to the issue we patched on November 6th.

I recommend running the IP.Board security center tools to look for suspicious files and remove anything that does not belong. On the upside, as you have .htaccess protection in those directories, the files are not accessible, which is why you're seeing those error messages being logged (this is a good thing in this case).

Can i create ticket for this? I have no idea what does belong there. That wizard says most suspicous file is public_html/foorumi/public/style_emoticons/.htaccess , i boubt it.

[Rhett]

Can i create ticket for this? I have no idea what does belong there. That wizard says most suspicous file is public_html/foorumi/public/style_emoticons/.htaccess , i boubt it.

We don't repair sites that have been hacked, but here is a guide you can use to clean this up.

If you have a recent backup our next support action is to recommend that you revert to that backup and apply the [url= 6th Security Patch to your board immediately.

If you do not have a recent backup, please look in the following directories for odd files, such as "zx.php" and "4d4098d64e163d2726959455d046fd7c.php".

1. / (root directory)
2. /cache/ (and child directories)
3. /hooks/
4. /uploads/
   If you find any of the above, or similarly named files, in the above directories, please remove them. To be sure that you have no hacked files left over, we recommend that you run the Security Tools located in the Security Center of your IP.Board AdminCP. You can find this under System > System > Security Center. The tools which you absolutely must run are the following:
   
5. IP.Board Unauthorized File Checker
6. IP.Board Executables Deep Scan
7. Make "conf_global.php" Un-writable
8. IP.Board PHP/CGI .htaccess Protection
   

[Dmacleo]

No it wasnt, it was many years ago. It was SMF

gotcha, sounded like it may have been recent which is why I was curious.

[Owdy]

Rhett, i have done all of those. Nothing found. All "suspisous " files are IPB's