Thanks once again to sentinel, a recent attack was stopped.
Here goes the info:
Date & Time: 2006-11-13 23:01:02 WET GMT +0000 Blocked IP: 200.153.151.27 User ID: Visitante (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/3.0 (compatible; Indy Library) Query String: www.euroindy.com/portal/modules.php?name=*****REMOVED*****
Get String: www.euroindy.com/portal/modules.php?name=*****REMOVED*****
Post String: www.euroindy.com/portal/modules.php
Forwarded For: none
Client IP: none
Remote Address: 200.153.151.27
Remote Port: 1165
Request Method: GET
I checked the command "*****REMOVED*****" and I saw a tool that defaces websites. It is hosted in this domain, that seems to be an honest domain "*****REMOVED*****"
What can we do more?
I hope this info was usefull. It seems this defacing tool is targeting (mainly) phpnuke websites.
phpnuke-hosting Support Mod
Joined: Oct 19, 2004
Posts: 1032
Location: UK
Posted:
Mon Nov 13, 2006 5:28 pm
I have removed several links you put in your post.
They link to a Trojan for the defacing tool, this is not a wise thing to post in PHP-Nuke Forums.
Nothing can really be done about this, although I am about to take a look at the code for the tool and see if there are any unknown exploits this is targetting.
I will report back with my findings in due course, in the mean time if sentinel is blocking it then its doing its job.
Keep your sentinel and phpnuke up-to-date and patched.
Report to the site hosting the file, as well as the ISP of the offending IP. Maybe they will do something, maybe not. At best, they have not been notified yet.. your message will get them to remove it. At worst, they do nothing.
There have been a flood of attacks against many PHP scripts. Indy-library is just one of the methods.
If you could, PM me the details as well
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
