I'm quite sure my server's been hacked. I'm seeing these entries in my access log as the last two before a series of 500 error messages, It's related to the DB but I haven't found out the exact error yet. I'm still trying to figure out what it means – can anyone help me out:
208.90.56.152 - - [16/Jun/2011:16:18:04 +0000] "GET / HTTP/1.1" 200 3011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
69.162.74.102 - - [16/Jun/2011:16:25:00 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 315 "-" "-"
Update
OK – on further investigation – for some reason the mysql service was shut down. I restarted it, and everything LOOKS normal. No data's missing, but I'm really not feeling well over the spook of those weird entries – how can I check if someone's been inside my system?
In my MYSQl log I see these lines – how does that realte to what has happened?
Version: '5.0.77' socket: '/var/lib/mysql/mysql.sock' port: 3306 Source distribution
110616 17:34:20 [Note] /usr/libexec/mysqld: Normal shutdown
110616 17:34:20 InnoDB: Starting shutdown...
110616 17:34:21 InnoDB: Shutdown completed; log sequence number 0 2054508
110616 17:34:21 [Note] /usr/libexec/mysqld: Shutdown complete
110616 17:34:21 mysqld ended
Best Answer
The DFind scan is just that, a scan, and doesn't indicate a breach; you'll see it all the time if you're watching. See here.
That's a graceful MySQL shutdown, which may warrant further investigation, but isn't terribly suspicious on its own.