Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Sat Dec 25, 2004 12:09 pm Reply with quote

In an effort to identify who is infected by this is a worm or virus, I'm enclosing a copy of a few of the IPs that have attacked my site so far.

I'm very curious to discover the root cause of these attacks (failed to update? No anti-virus?) and identifying the sources may aid in this venture while helping others to filter out some of the hosts affected.

Here are SOME of the multiple abuse attempt IPs that I have collected so far:

63.247.87.186 = shell.konta.pl
62.2.78.10 = 62-2-78-10.business.cablecom.ch
62.212.81.12 = ns2.jronline.nl
69.73.166.108 = platinum.nocdirect.com
69.64.34.168 = air302.startdedicated.com
67.19.107.242 = 242-107-19-67.reverse.sunrisenet.com.br
80.237.130.27 = server019.webpack.hosteurope.de
66.194.239.69 = dime54.dizinc.com
216.201.96.65 = vs1.korax.net
67.18.14.98 = ns1.hostdnsserver.com
67.15.84.41 = spark.mojoservers.net
67.19.5.50 = 50.67-19-5.reverse.theplanet.com
195.246.156.14 = microscoop.server.vianetworks.fr
204.50.22.10 = server12.dayanadns.com
217.115.142.89 = hydrogen.webpack.hosteurope.de
62.173.67.22 = fastwebhosting.net

And many many more!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly)

Last edited by 64bitguy on Sat Dec 25, 2004 2:45 pm; edited 2 times in total 
View user's profile Send private message Visit poster's website
Mesum
Useless


Joined: Aug 23, 2002
Posts: 213
Location: Chicago

PostPosted: Sat Dec 25, 2004 1:02 pm Reply with quote

I was bombed early this morning by visualcoders.net which was using some stupid kinda strings.

Their host was informed and they removed the account right away then domain whois showed that the owner is from Belgium so I just called FBI and let then know about this. They said they already know about it and they think it is just another worm that is supposed to run this sting to every phpBB, PHP-Nuke, Postnuke or any other related code. They are trying to find it and stop it.

These were the strings they were using:

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
zaki
New Member
New Member


Joined: Oct 12, 2004
Posts: 9

PostPosted: Sat Dec 25, 2004 2:04 pm Reply with quote

I am getting like 500 emails daily since two days, all with reasons like Reason: Abuse-Script or Abuse-Harvest, the only comon thing between all attacks is the agent which is
--------------------
User Agent: lwp-trivial/1.32

examples

Date & Time: 2004-12-25 12:51:57
Blocked IP: 217.199.176.8
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.32
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 217.199.176.8
Remote Port: 4388
Request Method: GET
--------------------
Who-Is for IP
217.199.176.8

Date & Time: 2004-12-25 12:24:45
Blocked IP: 81.169.168.253
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: lwp-trivial/1.38
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 81.169.168.253
Remote Port: 45814
Request Method: GET

or this new one


Date & Time: 2004-12-25 14:22:16
Blocked IP: 69.93.214.106
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 69.93.214.106
Remote Port: 41817
Request Method: GET

what is this gratishost.com ???

another Email with this which is a normal script to one of the forums, why blocked ?

Date & Time: 2004-12-25 14:18:02
Blocked IP: 69.44.57.36
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.41
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 69.44.57.36
Remote Port: 46860
Request Method: GET

I wish someone can help me with this, it started two days ago, now i get tons of Emails from sentinel, any ideas ?


Last edited by zaki on Sat Dec 25, 2004 2:31 pm; edited 3 times in total 
View user's profile Send private message
64bitguy
PostPosted: Sat Dec 25, 2004 2:26 pm Reply with quote

Update:

According to multiple hosts contacted, the following information has been identified:

It looks like Only registered users can see links on this board! Get registered or login! and Only registered users can see links on this board! Get registered or login! are hosting the worm source-code and aiding in propogation.

There is now an official FBI investigation in progress.

Webmasters attacked by this worm are urged to:

1) Contact each host of each attacking domain to advise them to do a virus scan to identify and remove the worm from affected domains.

2) Advise those hosts to notify domain administrators to update their software so as not to be exposed or further vulnerable to the worm.

2A) Also advise hosts of the domain(s) affected that should webmasters fail to update their software immediately (so as not to be susceptible to the worm), that the domain(s) affected should be deactivated until such a time where they do not pose a threat of re-infection and further propagation to others.

This is a situation where people have failed to update their software as advised and thus they are propagating the problem.

There are also a large number of clients attempting to test successful implementation and infection of the worm. Those client IP addresses are also being collected and reported to the FBI for investigation.

While many of these clients are on dial-up, the seriousness of this attack and the involvement of the FBI has led to a great deal of cooperation with ISPs in tracking those involved.

I'll keep you apprised of more information as it becomes available.
 
SuperCat
Hangin' Around


Joined: Nov 27, 2004
Posts: 37
Location: MN

PostPosted: Sun Dec 26, 2004 11:16 am Reply with quote

Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...

I wrote a nice little protection for this so your bandwidth wont get eaten up...

place this in /includes/custom_files/custom_mainfile.php

Code:
if (eregi("wget", $_SERVER['QUERY_STRING'])) {

   die();
}

_________________
How deep can we dig the rabbit hole? 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger
zaki
PostPosted: Sun Dec 26, 2004 12:22 pm Reply with quote

supercat, who are you replying to pls ? me ?

thanks,
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sun Dec 26, 2004 12:26 pm Reply with quote

SuperCat wrote:
Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...

I wrote a nice little protection for this so your bandwidth wont get eaten up...

place this in /includes/custom_files/custom_mainfile.php

Code:
if (eregi("wget", $_SERVER['QUERY_STRING'])) {

   die();
}
If it reaches this script, the band width has already been used. Not too sure what this accomplishes (no offense).
 
View user's profile Send private message
SuperCat
PostPosted: Sun Dec 26, 2004 12:38 pm Reply with quote

the rest of the page wont load. it saves that much.
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sun Dec 26, 2004 1:17 pm Reply with quote

The authorities will probably have as much success with the brazilian ISP's as we do.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
SuperCat
PostPosted: Sun Dec 26, 2004 6:09 pm Reply with quote

Here is my final code:

Code:
if (eregi("wget", $_SERVER['QUERY_STRING'])) {

   require_once("config.php");
   require_once("db/db.php");
   global $db, $prefix;
   $ip = $_SERVER["REMOTE_ADDR"];
   $sql = "select * from ".$prefix."_banned_ip WHERE ip_address ='$ip'";
   $result = $db->sql_query($sql);
   $IPexists = $db->sql_fetchrow($result);
   if ($IPexists == '') {
      $date = date("Y-m-d");
      $db->sql_query("INSERT INTO ".$prefix."_banned_ip (ip_address,reason,date) VALUES ('$ip', 'wget in URL', '$date')");
      $db->sql_query("DELETE FROM ".$prefix."_session WHERE host_addr='$ip'");
   }
   die();
}
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©