Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
rugbyleaguer
Hangin' Around


Joined: Dec 17, 2007
Posts: 29

PostPosted: Thu Jan 24, 2008 3:32 pm Reply with quote

Get a few of these on site and wondered what they were trying to do to the site???


Date & Time: 2008-01-24 18:09:58 UTC GMT +0000
Blocked IP: 80.67.27.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)
Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 80.67.27.39
Remote Port: 32913
Request Method: GET
--------------------
Who-Is for IP
 
View user's profile Send private message
warren-the-ape
Worker
Worker


Joined: Nov 19, 2007
Posts: 196
Location: Netherlands

PostPosted: Thu Jan 24, 2008 4:08 pm Reply with quote

See: Only registered users can see links on this board! Get registered or login!

Especially the reply from Montego;
(I had the same questions as well Wink)

montego wrote:

They are absolutely NOT "innocent". Anything which attacks phpbb_root_path is far from innocent and I will not go into the explanation of why. phpBB has since plugged this particular hole (yes, RN has that "plug"), so these are old exploits. Just remember too that just because a file has .txt as an extension does not mean that is truly what the nature of the file is. It could even be PHP script or a binary etc. To answer your question, it is very possible that those sites were hacked and now being used to try and attack others.
 
View user's profile Send private message
rugbyleaguer
PostPosted: Thu Jan 24, 2008 4:13 pm Reply with quote

So where exactly are they inputting these scripts????
 
warren-the-ape
PostPosted: Thu Jan 24, 2008 4:17 pm Reply with quote

They are trying to run those queries on your site, like you can see in the strings from your topicstart.

I guess that most of them are automated and are just being send to your website from another server, but please read the other topic cause a lot of it is explained over there Wink
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Jan 24, 2008 7:39 pm Reply with quote

This is called a cross site scripting attack. They are trying to trick your PHP code to run a (bad) script on a remote server.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
rugbyleaguer
PostPosted: Fri Jan 25, 2008 12:46 pm Reply with quote

Where is it likely they are inputting these scripts, that is to say I had one hacker from Turkey once chat to me and tell me how he had hacked my site by typing some script into the search topic input field then he manage to retrieve the username and the hash (MD5) of my password which he pasted into a MD5 hash cracking website waited a few days then it told him my admin password. If I know where they are inputting the stuff I can remove it so that they can only do that when they are a registered/verified member.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Jan 25, 2008 2:45 pm Reply with quote

Search module is a previous known exploit. RavenNuke should have it patched already.
If they are still hacking your site and succeeding, please let us know

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
rugbyleaguer
PostPosted: Sat Jan 26, 2008 3:30 am Reply with quote

Well thank god it seems to be blocking em each time but is a tad worrying to think its getting attacked on a regular basis.
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Sat Jan 26, 2008 4:25 am Reply with quote

rugbyleaguer wrote:
Where is it likely they are inputting these scripts, that is to say I had one hacker from Turkey once chat to me and tell me how he had hacked my site by typing some script into the search topic input field then he manage to retrieve the username and the hash (MD5) of my password which he pasted into a MD5 hash cracking website waited a few days then it told him my admin password. If I know where they are inputting the stuff I can remove it so that they can only do that when they are a registered/verified member.


On my site I have added in .htaccess, so only my ip-address can access admin.php. They have no use then of the admin password.

<Files "admin.php">
Order allow,deny
Allow from xxx.xx.x.xx
</Files>

xxx.xx.x.xx is my ip-address
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©