Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
dkrager
New Member
New Member



Joined: Jun 16, 2005
Posts: 22
Location: San Diego CA

PostPosted: Wed May 24, 2006 8:22 pm Reply with quote

Hi all,

Recently my site got hit by one of those automated scripts that plants spam in the comments section of news stories. Not a huge problem, I installed a random graphical code mod to the comments section and that seems to have resolved the issue. I'm mostly posting this out of curiosity hoping someone might be able to point me to a resource to better understand what exactly is being run against my site.

I run a dedicated RHE 3 / Apache 1.3 server with PHP-Nuke 7.6 Chatserv patches, Sentinel and the Protector system.

Essentially the way this went down is that someone registered on the site and then later unleashed this bot that was making the posts to the comments of news articles under that user ID. Where things start to look weird is that when going to the locate panel in the Protector system. There were zero hits when you search by user ID but when you search by IP address it shows the user as being anonymous. I don't allow anonymous posts to the comments section. Additionally it appears this script uses 6 different IP addresses that it cycles through which tells me that somehow they are spoofing both the IP and the user ID. Each one of the posts had a random quote at the end.

When I put in the graphical code mod I also changed the password on the account in question but that didn't seem to make a difference. Every day I see the user id in the who's online block and now it almost seems stuck on the site for hours. Could they be doing something with cookies or session id's to get past the login?

When viewing the raw access logs it reveals a whole lot of nothing except the HTTP protocol is different on some of the entries. Distributed? More spoofing? I dont know.

202.58.86.3 - - [24/May/2006:20:46:44 +0000] "POST /modules.php?name=News&file=comments HTTP/1.0" 200 18741 "-" "-"
200.142.202.140 - - [24/May/2006:20:47:30 +0000] "POST /modules.php?name=News&file=comments HTTP/1.1" 200 18851 "-" "-"
217.17.197.195 - - [24/May/2006:20:59:34 +0000] "POST /modules.php?name=News&file=comments HTTP/1.1" 200 19278 "-" "-"
128.131.95.16 - - [24/May/2006:20:59:57 +0000] "POST /modules.php?name=News&file=comments HTTP/1.1" 200 19305 "-" "-"
199.104.191.20 - - [24/May/2006:21:00:16 +0000] "POST /modules.php?name=News&file=comments HTTP/1.0" 200 19220 "-" "-"
85.25.139.186 - - [24/May/2006:21:13:14 +0000] "POST /modules.php?name=News&file=comments HTTP/1.1" 200 18953 "-" "-"

As I said, the graphical code pretty much resolved the issue and I will probably blow away the user account. I’m just curious if this is some well-known exploit and I missed installing a patch somewhere along the line.

Any advice would be appreciated.

Thanks,

Dave
 
View user's profile Send private message Visit poster's website
FiLiUsEvAe
Hangin' Around



Joined: Nov 24, 2005
Posts: 36
Location: Netherlands

PostPosted: Thu May 25, 2006 3:19 am Reply with quote

I have the same issue on my site, banned all the proxies (it seems to run on proxies) and deleted the "user". It/he/she had to sign up first to get through. So I hope it'll be fixed now. Also put the hackattempt script on my site.
It only spams in the comments so far. Mainly pretty annoying. The thing signed up under the nick "ivorybruno".

The more drastic thing I could do is of course totally lock down the site and let signups go through admin ... this wouldn't be my choice to run a site. I prefer nice and easy over keys, lockdowns, approvals and other security crap. Just looking at this spam idiot leaves me no choice. Sad
 
View user's profile Send private message Visit poster's website
FiLiUsEvAe







PostPosted: Thu May 25, 2006 3:27 am Reply with quote

Just a little thinking ... sentinel offers a thingy to block proxies. This isn't set in the main setup of Raven's distro's. I know some ISP's with plain honest people come in through a proxy as well.

If I'd set sentinel to block all proxies would it block the fair ones as well or do they come in through some other kind of proxy?
 
VinDSL
Life Cycles Becoming CPU Cycles



Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Thu May 25, 2006 3:50 am Reply with quote

Hrm... interesting!

I checked that first IP, and they've been on my site 47 times, trying to crack my ODP module!

So, I suppose the prudent action would be to ban all those IPs... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. 
View user's profile Send private message Visit poster's website ICQ Number
FiLiUsEvAe







PostPosted: Thu May 25, 2006 3:58 am Reply with quote

Ban all those IPs ... it uses a different one every time it comes in so we'd be busy for ages doing that

Anyways this is the IP list of the same bugger that hit my site
Code:
124.32.181.83

128.131.95.16
211.247.52.125
213.140.226.171
217.17.197.195
61.36.168.136
69.94.129.57
212.18.63.121
199.104.191.20
200.122..154.136


As you can see the same IPs that hit dkrager and you. But tomorrow it'll have 10 new IPs Sad
 
VinDSL







PostPosted: Thu May 25, 2006 4:24 am Reply with quote

I checked the third IP down in that list, and they tried (once) to crack my Bandwidth Meter.

I dunno... looking at the strings they used, it appears they're simply on a fishing expedition. Maybe they just got lucky on your site!

To answer your question directly, no, I don't think there is any 'well-known exploit' involved, but I only tracked a couple of IPs on my site.

It looks like they're simply trying to trip up PHP-Nuke by inserting nonsense in the address bar. Might be a bot, but who knows? I doubt it...

*Edit* I checked the fifth IP and they pulled three 404's in a row -- so they aren't too swift!

*Edit2* That last IP turned up 451 hits on my ODP module -- all legit. Probably a harvester -- but using an open web proxy, which is suspicious... Wink
 
FiLiUsEvAe







PostPosted: Thu May 25, 2006 4:41 am Reply with quote

Since it had to sign up to spam my artikel comments I could watch it for a day or two. It's not totally overloading the site with crap. It spams 2 or 3 comments under a different IP everytime. Makes me wonder ... is he doing all that manually all day long? Dang what a crap job that would be Shocked

I checked sentinel and the tracked IP's and it only gives 1 to 3 hits per IP. Seems a bit sneaky ... I mean if you see 2000 hits of an IP you'll check it out right away.

For me it's quite easy to watch it since my site is in Dutch and IPs from other countries than NL or BE drag my attention immediately.
 
VinDSL







PostPosted: Thu May 25, 2006 4:50 am Reply with quote

Yeah, it's hard to say what's going on. However, it would be interesting to see what they're using to get into your comments! I would guess some sort of sql injection, but nothing I've heard of.
 
FiLiUsEvAe







PostPosted: Thu May 25, 2006 5:07 am Reply with quote

Well that's an easy question lol. It signed up to comment on articles. This is the crap it spams (note: I replaced the spamwords with "stuff") and as you can see it always ends with some quote a random quote.

Code:
INSERT INTO nuke_nsnst_tracked_ips VALUES (10543,'69.94.129.57','',15,'ivorybruno','none',1148380452,'/modules.php?subject=order stuff&comment=<a href=\\"http://stuff.src21.net/\\">stuff</a> - stuff<a href=\\"http://stuff.src21.net/\\">stuff</a> - stuff<a href=\\"http://stuff.src21.net/stuff/\\">stuff</a> - stuff<a href=\\"http://stuff.src21.net/stuff/\\">stuff online</a> - stuff online<a href=\\"http://stuff.src21.net/stuff/\\">buy stuff</a> - buy stuff<a href=\\"http://stuff.src21.net/stuff/\\">stuff</a>\nSwerve me?  The path to my fixed purpose is laid with iron rails,\nwhereon my soul is grooved to run.  Over unsounded gorges, through\nthe rifled hearts of mountains, under torrents\\\' beds, unerringly I rush!\n      -- Captain Ahab, \\"Moby Dick\\"\n&sid=1&op=Ok!','69.94.129.57','none','69.94.129.57','44609','POST','00');


This is from my database since I backed that one up and check to see if it did more than just that. The rest I already deleted of course!

And this is from sentinel tracking:

Code:
http://www.xiffa.nl/modules.php?username=sayContent-Type: multipart/alternative; boundary=0fbf4ac113d1614acd60ccdf672f4438MIME-Version: 1.0Subject: become a manufactory the brokenbcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--0fbf4ac113d1614acd60ccdf672f4438Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitcould not comprehend myself thought it must be my imagination. became quite fainthearted, denied my own hearing, and said, o, have only dreamed and commenced reckoning and counting to employ my mind but that did no good, and it nearly--0fbf4ac113d1614acd60ccdf672f4438--.

http://www.xiffa.nl/modules.php?username=chosen2122@xiffa.nl&redirect=canContent-Type: multipart/alternative; boundary=f302ebd8d13e486f759929b6a5c06d1dMIME-Version: 1.0Subject: his neck, sprang forward and ran barking after thebcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--f302ebd8d13e486f759929b6a5c06d1dContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitfor all that, and ended with a quotation from ean aul. alf an hour afterward she slept and dreamed her round white arm lay--f302ebd8d13e486f759929b6a5c06d1d--.&f=chosen2122@xiffa.nl&user_password=chosen2122@xiffa.nl&t=chosen2122@xiffa.nl&op=chosen2122@xiffa.nl&mode=chosen2122@xiffa.nl
http://www.xiffa.nl/modules.php?username=not4687@xiffa.nl&redirect=not4687@xiffa.nl&f=not4687@xiffa.nl&user_password=arcadesContent-Type: multipart/alternative; boundary=10ff90b4bbe4440456a49216cf1a6176MIME-Version: 1.0Subject: me churchesbcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--10ff90b4bbe4440456a49216cf1a6176Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitmake necessary preparations, the improbabilities of accomodation for so large a party not being taken into account of her adyship s calculations. he steepness and impracticability of the roads already began to undermine her--10ff90b4bbe4440456a49216cf1a6176--.&mode=not4687@xiffa.nl&t=not4687@xiffa.nl&op=not4687@xiffa.nl
http://www.xiffa.nl/modules.php?username=sail4070@xiffa.nl&redirect=sail4070@xiffa.nl&f=watchContent-Type: multipart/alternative; boundary=f40aed27e89ffaeefe1da3dd9c61df9cMIME-Version: 1.0Subject: bull in the other. o, ir, you donbcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--f40aed27e89ffaeefe1da3dd9c61df9cContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitbe precipt an example to be quick on me feet. n these days whin a man--f40aed27e89ffaeefe1da3dd9c61df9c--.&user_password=sail4070@xiffa.nl&t=sail4070@xiffa.nl&mode=sail4070@xiffa.nl&op=sail4070@xiffa.nl
http://www.xiffa.nl/modules.php?redirect=ith6472@xiffa.nl&username=asContent-Type: multipart/alternative; boundary=b86f060bb619dc0d38f2c26bc2e7f97fMIME-Version: 1.0Subject: grave can see where thebcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--b86f060bb619dc0d38f2c26bc2e7f97fContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitand plants fresh islands presented themselves for centuries did a more powerful development and improvement show themselves, until the perfection was attained which we now perceive ut the ible does not--b86f060bb619dc0d38f2c26bc2e7f97f--.&f=ith6472@xiffa.nl&user_password=ith6472@xiffa.nl&t=ith6472@xiffa.nl&op=ith6472@xiffa.nl&mode=ith6472@xiffa.nl
http://www.xiffa.nl/modules.php?username=a3494@xiffa.nl&redirect=a3494@xiffa.nl&f=a3494@xiffa.nl&user_password=a3494@xiffa.nl&mode=yeContent-Type: multipart/alternative; boundary=da54fd6adad78a88e57686b9ae29affaMIME-Version: 1.0Subject: aris. oor, though wellborn, her object was tobcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--da54fd6adad78a88e57686b9ae29affaContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitthey must indeed get into the throng. s in the iddle ges the various professions had their distinct streets and quarters, so had they also here. he street which led to the--da54fd6adad78a88e57686b9ae29affa--.&t=a3494@xiffa.nl&op=a3494@xiffa.nl


It pretends to be using email adresses with my domain grrrrrrr ... don't ask me how or why or what it's exactly doing.

yes a little add to this all: I'm running my site on a nice webhosting service so I can't see what it's doing beyond the site so to say.
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Thu May 25, 2006 6:11 am Reply with quote

Is there any consistent string, user agent, anything that we might be able to auto ban these guys with NS' string blocker?

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
FiLiUsEvAe







PostPosted: Thu May 25, 2006 6:25 am Reply with quote

The only reoccuring thing I see is that it seems to bcc (blind copy mail?) to aol mail accounts with all comments. I can't tell if it's a string or anything

Code:
bcc: [ Only registered users can see links on this board! Get registered or login! ]

bcc: [ Only registered users can see links on this board! Get registered or login! ]
bcc: [ Only registered users can see links on this board! Get registered or login! ]
 
viper155
Regular
Regular



Joined: Feb 18, 2006
Posts: 99

PostPosted: Thu May 25, 2006 1:24 pm Reply with quote

Im also getting the comment spam. I may turn comments off for a while.
 
View user's profile Send private message Visit poster's website
dkrager







PostPosted: Thu May 25, 2006 2:39 pm Reply with quote

montego wrote:
Is there any consistent string, user agent, anything that we might be able to auto ban these guys with NS' string blocker?


No there doesn’t seem to be anything consistent. What FiLiUsEvAe posted appears to be identical thing that hit my site. I also noticed the same pattern in that it will post a limited number of comments under different IP’s and then come back in the next day or so and do it again. It’s just enough to fly under the radar until one day you notice you are flooded with spam posts. I don’t think someone is manually doing it either because once I put in the graphical code in on comments it kept blindly making posts.

The thing that I find most curious is what the heck they are doing with the login?
It’s strange because the posts list a valid user ID but the user id shows no hits on the site. When you check the IP of the posts they show as an anonymous user? And then to show as online after I changed the password is really odd.

Could they somehow be forging cookies or something like that?

I’m not exactly a huge fan of those graphical confirmation codes but it does seem like the only pro-active way to deal with it.

Thanks,

Dave
 
FiLiUsEvAe







PostPosted: Fri May 26, 2006 3:10 am Reply with quote

First of all ... like dkrager said
Quote:
I don’t think someone is manually doing it either
.

Again it "visited" my site. This time he wasn't signed up anymore, I banned its nick and whatever was possible to ban of it. Because of that it wasn't able to post anything anywhere although it did try. Note that my site is in Dutch and I don't have many members. The members I do have I value very much. So for me it is quite easy to follow this spamthing. I can imagine the spamdamage this thing could create on a multilingual site with a lot of members.

Here is what it tried today and again it bcc-ed to some aol mail account. This is a list of IP adresses and which places went by at what times (sorry those times are GMT+1). Note that since he isn't a "member" anymore I can't track him by nickname and not all IP adresses have to be "his". The only IP I'm sure of is 218.53.83.141, so don't blindly ban all IP's. They're basically from countries you wouldn't expect on a Dutch site. So yes I banned them all Shocked.

Code:
(2 hits) 217.160.166.244 /modules.php?name=Recommend_Us /index.php 06:39:09


(1 hit) 58.77.5.87 /modules.php?name=FAQ 06:40:39

(1 hit) 202.154.239.101 /modules.php?name=Google_Search 06:41:07

(2 hits) 218.53.83.141 /modules.php?username=and8276@xiffa.nl&redirect=osalieContent-Type: multipart/alternative; boundary=bdc716ca27369039a7f0d82be8922324MIME-Version: 1.0Subject: wails iv th wounded tax payers. t twelve fifteenbcc: [ Only registered users can see links on this board! Get registered or login! ] is a multi-part message in MIME format.--bdc716ca27369039a7f0d82be8922324Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitmoney, said r. ennessy. ell, sir, said r. ooley here s a judge on th binch says twinty five dollars is as much as a man needs to enther th--bdc716ca27369039a7f0d82be8922324--.&f=and8276@xiffa.nl&user_password=and8276@xiffa.nl&gfx_check=and8276@xiffa.nl&random_num=and8276@xiffa.nl&mode=and8276@xiffa.nl&op=and8276@xiffa.nl&t=and8276@xiffa.nl

/modules.php?name=Stories_Archive 06:42:25

(1 hit) 202.146.67.238 /modules.php?name=Reviews 06:42.47



I don't think it's an exploit. I think it's just taking advantage of the easy way to spam and that would be signing up and use a quickspam toy like an autoform fill out thingy or so. It's not hacking or cracking anything nothing totally agressive so far anyway.
 
FiLiUsEvAe







PostPosted: Fri May 26, 2006 6:37 am Reply with quote

I just did a google search with one of the email accounts it uses for bcc ... [ Only registered users can see links on this board! Get registered or login! ] and it comes up with quite some results of sites it has been spamming.

This site seems to have a detailed idea of what's going on http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
It's absolutely worth reading.
 
FiLiUsEvAe







PostPosted: Sat May 27, 2006 3:33 am Reply with quote

Raven or anyone who knows more on this stuff than I do Neutral

I read this part
Quote:
Once a vulnerable script is found, the BCC line is filled with 25 or 30 addresses to spam. If the form doesn't set reply-to before the exploited field or the reply-to is a bad address or nobody pays attention to logs, the site owner may never know his site is compromised and enslaved as a spam bot.


How vulnerable is the ravendistro to this? I mean the comments, reviews, feedback and other forms in nuke ... are they vulnerable to "exploits" like this?

I know it has to sign up to show visible spam on my site ... if I ban the "user" it still spams but it's going nowhere on my site, I just see it "trying" in sentinel tracking ... I don't know if it's still doing anything behind the screens.

This stuff is far beyond my PHP skills.

I don't know if you're busy with this thing or anything ... if so I'll just wait. For now I have all modules set for members only. Still I'd prefer to have a lot of things read only to all. But well .... I have to protect my members as much as I can.
 
dkrager







PostPosted: Sun May 28, 2006 2:12 am Reply with quote

I haven’t had the bcc entries like you have but I came across a little more information that might offer some clues. Yesterday I deleted the spammer account and have since then noticed it as being logged in at least 4 times since then which is sort of spooky. I also enabled the Sentinel page tracker and concentrated on anonymous users with just a few hits. To my surprise I found about 30+ different IP’s in the last 24 hours running a similar exploit.

Some were the original scam we were discussing but I also found a second one that’s also doing some really weird things and this one appears to be putting random email addresses in the string.

I also did a google search on src21 which was part of the url of most of the links in the spam postings and found page after page of Nuke sites with the same comment spam so obviously these guys get around. The interesting thing is that every one of those sites does not use the graphical code for logins.

I have no evidence that these attacks are successful anymore because I am not getting any more comment spam since I put in the graphical code mod and the mail que seems to be clean. What I am bothered about the login strings. I don’t fully understand how to interpret them so it’s hard to determine if this is an actual threat to the site or not. I am also hoping someone with greater knowledge about this will chime in.

The first snippet is the original scam and the next 2 is the new one I found this morning both seem to be doing about the same thing with the login. What’s odd about the first snippet is that the account is deleted yet it just sails right through the login and starts trying to post again.


Code:
/modules.php?subject=equity loan&comment=backgammon pc game - backgammon pc gameequity loan - equity loan After your lover has gone you will still have PEANUT BUTTER! &sid=63&op=Ok! 2006-05-27 @ 20:11:48  

/modules.php?subject=internet backgammon cheat&comment=denavir - denavirflexeril - flexerilnasacort - nasacortbuy relaxants online - buy relaxants onlinebuy skelaxin online - buy skelaxin onlinedownload ringtones - download ringtonescingular ringtone - cingular ringtonedownloads sony ericsson - downloads sony ericssonholberg suite composer - holberg suite composercrazy frog film clip - crazy frog film clippictures for mobiles - pictures for mobilesringtones real - ringtones realmotorola downloads - motorola downloadssong crazy frog - song crazy frogsamsung real tones - samsung real tonesdownload bollywood ringtones - download bollywood ringtonesforex trading strategies - forex trading strategieswww forex - www forexforex charting - forex chartingrapid forex - rapid forexforex strategy - forex strategymotif backgammon - motif backgammonbackgammon board - backgammon boardbackgammon game boards - backgammon game boardsinternet backgammon cheat - internet backgammon cheat If you sow your wild oats, hope for a crop failure. &sid=161&op=Ok! 2006-05-27 @ 20:11:48 
/modules.php?subject=equity loan&comment=backgammon pc game - backgammon pc gameequity loan - equity loan You will gain money by an immoral action. &sid=63&op=Ok! 2006-05-27 @ 20:11:12 
/modules.php?username=&user_password=From google pr .&random_num=496509&gfx_check=5282942605&op=login 2006-05-27 @ 14:13:16 
/modules.php?name=News&file=article&sid=15 2006-05-27 @ 14:12:50 


/modules.php?username=vflbh42@email.com&user_password=http://www.areaseo.com&random_num=496060&gfx_check=576551&op=login 2006-05-27 @ 14:13:08 
/modules.php?username=&user_password=lgorithm. From google pr .&random_num=412525&gfx_check=761937&op=login 2006-05-27 @ 14:13:08 
/modules.php?username=kjuwg2g@lycos.com&user_password=http://www.areaseo.com&random_num=155417&gfx_check=960721&op=login 2006-05-27 @ 14:13:07 
/modules.php?username=iko1u9c@email.com&user_password=http://www.areaseo.com&random_num=789364&gfx_check=985213&op=login 2006-05-27 @ 14:13:06 
/modules.php?username=jdz8muf@search.com&user_password=http://www.areaseo.com&random_num=938860&gfx_check=3504167531&op=login 2006-05-27 @ 14:12:51 
/modules.php?username=&user_password=ctory .&random_num=301496&gfx_check=062300&op=login 2006-05-27 @ 14:12:44 
/modules.php?username=nkwl17o@yahoo.com&user_password=http://www.areaseo.com&random_num=516418&gfx_check=144022&op=login 2006-05-27 @ 14:12:43 
/modules.php?username=jrp42z4@yahoo.com&user_password=http://www.areaseo.com&random_num=311632&gfx_check=789643&op=login 2006-05-27 @ 14:12:42 
/modules.php?username=qgyxi8h@ebay.com&user_password=http://www.areaseo.com&random_num=851257&gfx_check=309214&op=login 2006-05-27 @ 14:12:38 
/modules.php?username=&user_password=es, About DIRare, Search in Business Category. From online directory .&random_num=157975&gfx_check=498710&op=login 2006-05-27 @ 14:12:32 


/modules.php?username=iuuxaom@email.com&user_password=http://www.areaseo.com&random_num=899069&gfx_check=3623283703&op=login 2006-05-27 @ 14:12:58 
/modules.php?username=fku8ofj@lycos.com&user_password=http://www.areaseo.com&random_num=703078&gfx_check=8265180027&op=login 2006-05-27 @ 14:12:58 
/modules.php?username=kjlsepv@search.com&user_password=http://www.areaseo.com&random_num=968659&gfx_check=3365028668&op=login 2006-05-27 @ 14:12:57 
/modules.php?username=cxid71x@altavista.com&user_password=http://www.areaseo.com&random_num=483533&gfx_check=3438012849&op=login 2006-05-27 @ 14:12:56 
/modules.php?username=xhz66s0@email.com&user_password=http://www.areaseo.com&random_num=876946&gfx_check=5456759564&op=login 2006-05-27 @ 14:12:50 
/modules.php?username=&user_password=main&random_num=891681&gfx_check=2153271304&op=login 2006-05-27 @ 14:12:46 
/modules.php?username=&user_password=From online directory .&random_num=150908&gfx_check=1442116247&op=login 2006-05-27 @ 14:12:46 
 
FiLiUsEvAe







PostPosted: Sun May 28, 2006 3:29 am Reply with quote

Since I locked down the comments and reviews and all that stuff, put in the gfx code for users as well instead of just admin, deleted its user ID and banned the IPs it has been using on my site .... I finally seem to have a little bit of peace.

It is still there though and I'm watching it closely ... it seems (from reading and such I did) that IF it is successful on a spambreach it'll use your mailserver or whatever for spam.

Yours does look a bit different dkrager still it spams the same crap and uses the same random end quote.

Those login trials I see in your codeblock .... it doesn't seem to use your own domain ... on my site it used my own domain at the end and random numbers and nicks before the @. And of course it used a BCC in the string

Creepy crap .....

Do you have your own mailserver? Did you check the logs? That's what one should do according to the stuff I read so far Neutral. In those logs you should see some weird stuff IF it is doing something nasty.
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Sun May 28, 2006 6:56 am Reply with quote

src21.com seems to be compromised - there are tools and utilities on their site that can assist with cross site scripting attacks like the ones you are experiencing.

Make sure you add those domain names to your referer blocker (and that your referer blocker is active) as that will certainly help.

I get about 20 or 30 attacks every day on my code-authors.com website, mostly to modules that are not even installed. I'll be updating my SpamList blocker module on Monday with a number of compromised and spamming domains.

*Tip of the Day*
When you download a back up of your site, always run a file compare against your previous back up. Even if you check your logs religously, this will quickly help you identify any files which may have been uploaded through an exploit to your webspace which you might not have otherwise found.
Remember, incorrectly set up servers/ old server software versions can be compromised regardless of what you may have in your webspace.
 
View user's profile Send private message Send e-mail
dirtbag
Regular
Regular



Joined: Nov 09, 2003
Posts: 73

PostPosted: Mon May 29, 2006 11:24 pm Reply with quote

where can i get the spalmlist blocker that i have seen on some sites... and does it work ???


regards
rick
 
View user's profile Send private message
Guardian2003







PostPosted: Tue May 30, 2006 1:22 am Reply with quote

See the post above.
The Code-authors.com Spamlist blocker may not stop comment spamming what it does is block the referer, so for example if the comments are inserted via a tool loaded on another site or a bot and we know the referer, we can block the referer from the site and this render that particular bot or tool useless. Because by default the referer is redirected it also saves precious bandwidth and helps preserver your page rank by helping to prevent none relevant back links / text links.

As with any tool of this type, it is only as good as the referer list and thus relies on user feedback to request additional referers to be blocked.
 
FiLiUsEvAe







PostPosted: Tue May 30, 2006 10:37 am Reply with quote

<---- already got it from your site Guardian2003 Very Happy
 
Guardian2003







PostPosted: Wed May 31, 2006 12:20 am Reply with quote

I was hoping to get the list updated Monday but sadly that didn't happen, it will be a few more days - sorry!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©