vb.org Archive - Major Additions - ibProArcade

I'm frustrated on reporting of a potential bug and yet nothing is coming up. I manually checked every single log and the only thing the person was accessing was arcade.php (The latest) and was able to forcefully reset the password of my account and obtain the required hash to reset it further.

Now, unless the are able to read the configuration of my admin panel and obtain my sendgrid information then that too is possible but once again it came from arcade.php.

Normal access logs

Code:

root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep arcade.php

65.55.52.108 - - [26/Jan/2013:08:25:20 +0000] "GET /arcade.php?do=stats&gameid=10 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

121.97.10.2 - - [26/Jan/2013:08:44:20 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f198/ad-stormgamingnetwork-season-6-ep3-906484/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19"

121.97.10.2 - - [26/Jan/2013:08:44:33 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19"

121.97.10.2 - - [26/Jan/2013:08:44:54 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19"

199.21.99.68 - - [26/Jan/2013:08:57:43 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"

223.205.88.20 - - [26/Jan/2013:09:14:37 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)"

157.55.32.166 - - [26/Jan/2013:10:10:14 +0000] "GET /arcade.php?act=Arcade&gsearch=D&search_type=1 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

65.55.52.108 - - [26/Jan/2013:10:10:42 +0000] "GET /arcade.php?act=Arcade&module=report&user=204668 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

157.55.33.19 - - [26/Jan/2013:10:11:28 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

157.55.33.19 - - [26/Jan/2013:10:11:29 +0000] "GET /arcade.php?act=Arcade&do=stats&gameid=4&st=5 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

157.55.35.46 - - [26/Jan/2013:10:23:04 +0000] "GET /arcade.php?do=viewtourney&tid=19 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

157.55.34.180 - - [26/Jan/2013:10:35:07 +0000] "GET /arcade.php?act=Arcade&module=report&user=75275 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

101.85.124.208 - - [26/Jan/2013:10:37:30 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER"

49.176.40.15 - - [26/Jan/2013:10:43:22 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f609/2-phoenix-license-premium-minecraft-880505/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

65.55.24.245 - - [26/Jan/2013:11:58:57 +0000] "GET /arcade.php?act=Arcade&module=report&user=1333375530 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

41.205.96.246 - - [26/Jan/2013:12:43:30 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"

119.193.46.37 - - [26/Jan/2013:12:49:59 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

87.206.99.56 - - [26/Jan/2013:12:59:55 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

111.125.84.42 - - [26/Jan/2013:13:35:42 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f269/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17"

157.55.35.32 - - [26/Jan/2013:14:05:47 +0000] "GET /arcade.php?act=Arcade&do=play&gameid=121 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

27.99.19.136 - - [26/Jan/2013:14:10:59 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

27.99.19.136 - - [26/Jan/2013:14:11:02 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

157.55.35.46 - - [26/Jan/2013:14:45:02 +0000] "GET /arcade.php?do=play&gameid=14 HTTP/1.1" 301 26 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

207.237.54.38 - - [26/Jan/2013:15:35:25 +0000] "GET /arcade.php?do=stats&gameid=104 HTTP/1.1" 301 26 "http://forum.domain.com/private.php?do=showpm&pmid=1763182" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

207.237.54.38 - - [26/Jan/2013:15:35:31 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

207.237.54.38 - - [26/Jan/2013:15:35:35 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17"

root@dmca [/home/domain/access-logs]#

person who conducted the exploit

Code:

root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep 91.236.116.142





91.236.116.142 - - [21/Jan/2013:17:13:46 +0000] "GET / HTTP/1.1" 200 11488 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:22 +0000] "GET /register.php HTTP/1.1" 200 10000 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:28 +0000] "GET /clientscript/vbulletin_css/style00115l/register.css?d=1358021545 HTTP/1.1" 200 338 "http://forum.domain.com/register.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:34 +0000] "GET /login.php HTTP/1.1" 303 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:39 +0000] "GET /index.php HTTP/1.1" 200 11494 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:45 +0000] "GET /f71/ HTTP/1.1" 200 13247 "http://forum.domain.com/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/ HTTP/1.1" 200 12843 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/loginButton.gif HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/footerLogo.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:51 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style/logo_blue.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:14:59 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:15:07 +0000] "POST /login.php?do=login HTTP/1.1" 200 6594 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:15:12 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6619 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:30:02 +0000] "GET /usercp.php HTTP/1.1" 200 6782 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:30:04 +0000] "GET /cron.php?rand=1358789402 HTTP/1.1" 200 43 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:30:37 +0000] "POST /login.php?do=login HTTP/1.1" 200 2365 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:30:41 +0000] "GET /usercp.php HTTP/1.1" 200 6868 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:31:01 +0000] "GET / HTTP/1.1" 200 6398 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:32:39 +0000] "GET / HTTP/1.1" 200 11489 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:32:49 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:33:06 +0000] "POST /login.php?do=login HTTP/1.1" 200 6244 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:33:14 +0000] "GET / HTTP/1.1" 200 11488 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:33:08 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6618 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 623 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:34:24 +0000] "POST /login.php?do=emailpassword HTTP/1.1" 200 2403 "http://forum.domain.com/login.php?do=lostpw" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /login.php?do=login HTTP/1.1" 303 26 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /index.php HTTP/1.1" 200 11494 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 665 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 659 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c426fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 667 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 648 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

Following day I removed the file and person tried again

Code:

root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep "91.236.116.142"

91.236.116.142 - - [23/Jan/2013:14:19:47 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 301 26 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [23/Jan/2013:14:19:48 +0000] "GET / HTTP/1.1" 200 11391 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET / HTTP/1.1" 200 11454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:10 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:11 +0000] "GET / HTTP/1.1" 200 11454 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:19 +0000] "GET /f71/ HTTP/1.1" 200 13239 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET / HTTP/1.1" 200 11457 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:35 +0000] "GET /raffles.php HTTP/1.1" 200 6823 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:14:20:56 +0000] "HEAD /arcade.php HTTP/1.1" 301 0 "-" "curl/7.26.0"

91.236.116.142 - - [23/Jan/2013:14:21:03 +0000] "HEAD /afds.php HTTP/1.1" 301 0 "-" "curl/7.26.0"

91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET / HTTP/1.1" 200 11464 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

root@dmca [/home/domain/access-logs]#

The important part;

Code:

91.236.116.142 - - [21/Jan/2013:17:33:08 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6618 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 623 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:34:24 +0000] "POST /login.php?do=emailpassword HTTP/1.1" 200 2403 "http://forum.domain.com/login.php?do=lostpw" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /login.php?do=login HTTP/1.1" 303 26 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /index.php HTTP/1.1" 200 11494 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 665 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 659 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c426fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 667 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 648 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

91.236.116.142 - - [21/Jan/2013:17:36:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c42 6fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

Filename was missing so they attempted to access a random php file to see if was an error on their part but they of course realised it was deleted.
To me, this is frustrating.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.11824 seconds Memory Usage 1,844KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (4)bbcode_code_printable (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (6)pagenav_pagelinkrel (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: