| Topic Archived |
View previous topic :: View next topic |
| Author |
Message |
DJ Maze
Developer
 Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
 Posted: Tue May 04, 2004 3:17 pm
Post subject: Hacker IP's |
|
If people wanna know, some stupid idiots tried to do nasty things on cpgnuke.com but due to our htaccess and db debugging i have some cool error reports so here are mine:
[Tue May 4 10:31:05 2004] [error] [client 200.217.110.144] File does not exist: /modules/My_eGallery/public/displayCategory.php
[Tue May 4 09:59:59 2004] [error] [client 200.196.119.3] client denied by server configuration: /modules/coppermine/themes/default/theme.php
[Tue May 4 04:45:52 2004] [error] [client 202.51.230.148] client denied by server configuration: /modules/coppermine/themes/default/theme.php
[Tue May 4 02:05:38 2004] [error] [client 65.54.164.126] File does not exist: /viewtopic.php
Just expand the list with your logs 
lacnic.net/cgi-bin/lacnic/whois <- Latin america
www.ripe.net/db/whois/whois.html <- Europe
www.apnic.net/ <- Asian
www.arin.net/whois/index.html <- America
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first 
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
Last edited by DJ Maze on Sun May 09, 2004 10:15 am; edited 2 times in total |
|
| Back to top |
|
 |
Viperal
Supporter
Offline
Joined: May 01, 2004
Posts: 858
Location: New York
|
Posted: Tue May 04, 2004 5:55 pm
Post subject: Re: Hacker IP's |
|
Search results for: 65.54.164.126
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
I knew they where tring to take over the world, but come on.
I Better start using linux 
Viperal please enter your server specs in your user profile! 
|
|
| Back to top |
|
|
Śyama_Dāsa
Developer
Offline
Joined: Apr 19, 2004
Posts: 2048
Location: Dragonfly CMS Tribe
|
Posted: Tue May 04, 2004 10:26 pm
Post subject: Re: Hacker IP's |
|
Add 200.174.123.113 to the list 
I have notified the host...
Śyama_Dāsa's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
win32 / Apache 1.3.33 / MySQL 4.1.16/PHP 4.4/CPG-CVS ( browsers: Mozilla 1.7.x / IE6 / Opera 8.0)
|
|
| Back to top |
|
|
Viperal
Supporter
Offline
Joined: May 01, 2004
Posts: 858
Location: New York
|
Posted: Tue May 04, 2004 10:29 pm
Post subject: Re: Hacker IP's |
|
Is this log created sutomatically, if so where do i get it.
never mind I found it, log folder stupid me.
Viperal please enter your server specs in your user profile!
|
|
| Back to top |
|
|
Phoenix
• Many Posts •
Offline
Joined: Apr 19, 2004
Posts: 8799
Location: Netizen
|
Posted: Tue May 04, 2004 11:29 pm
Post subject: Re: Hacker IP's |
|
| Viperal wrote: |
Search results for: 65.54.164.126
OrgName: Microsoft Corp
|
It's MSN bot - obviously it's picked up an invalid link during spidering.
_________________
• DonationsPro for DragonflyCMS, SMF, MyBB, vBulletin •
Phoenix's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Wed May 05, 2004 5:59 am
Post subject: Re: Hacker IP's |
|
[Wed May 5 01:10:07 2004] [error] [client 201.0.66.201] File does not exist: /nuke/modules/coppermine/themes/default/theme.php
[Tue May 4 21:05:22 2004] [error] [client 80.129.121.118] File does not exist: /scripts/..%5c%5c../winnt/system32/cmd.exe
[Tue May 4 16:42:30 2004] [error] [client 80.126.53.55] File does not exist: /MSOffice/cltreq.asp
[Tue May 4 16:42:29 2004] [error] [client 80.126.53.55] File does not exist: /_vti_bin/owssvr.dll
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
Last edited by DJ Maze on Thu May 06, 2004 1:08 am; edited 2 times in total |
|
| Back to top |
|
|
Cergorach
Nice poster
Offline
Joined: Apr 20, 2004
Posts: 72
Location: Amsterdam, the netherlands
|
Posted: Wed May 05, 2004 7:29 am
Post subject: Re: Hacker IP's |
|
| DJMaze wrote: |
[Tue May 4 11:37:29 2004] [error] [client xxx.202.196.72] client denied by server configuration: /home/cpgn/public_html//themes/cpgnuke/theme.php
[Tue May 4 11:37:22 2004] [error] [client xxx.202.196.71] client denied by server configuration: /home/cpgn/public_html/themes/cpgnuke/theme.php
[Tue May 4 11:37:14 2004] [error] [client xxx.202.196.72] client denied by server configuration: /home/cpgn/public_html//themes/cpgnuke/theme.php |
That could be moi from work, looking at the error page you were talking about
Cergorach's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Dunno, have to check ;-)
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
|
| Back to top |
|
|
Trevor
Developer
Offline
Joined: Apr 19, 2004
Posts: 2170
Location: New York
|
Posted: Wed May 05, 2004 10:48 pm
Post subject: Re: Hacker IP's |
|
Here's a few IP Addresses...
IP: 203.106.8.142
Timestamp: 04/10/2004 09:41:30 Eastern
Reason: Attempted exploit of 4nAlbum vulnerability
Query: /modules/4nalbum/public/displayCategory.php?adminpath=[removed]
IP: 201.0.66.80
Timestamp: 04/12/2004 22:58:25 Eastern
Reason: Attempted exploit of 4nAlbum vulnerability
Query: /modules/4nAlbum/public/displayCategory.php?basepath=[removed]
IP: 200.141.17.70
Timestamp: 04/18/2004 23:54:42 Eastern
Reason: Attempted exploit of My eGallery vulnerability
Query: /modules/My_eGallery/public/displayCategory.php?basepath=[removed]
IP: 200.184.48.140
Timestamp: 04/22/2004 22:54:59 Eastern
Reason: Attempted exploit of My eGallery vulnerability
Query: /modules/My_eGallery/public/displayCategory.php?basepath=[removed]
I've also got a huge list of about 75 IPs that I've been collecting since October 
Trevor's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS
|
|
| Back to top |
|
|
VinDSL
Newbie
Offline
Joined: Apr 21, 2004
Posts: 12
Location: Arizona (USA)
|
Posted: Thu May 06, 2004 12:53 am
Post subject: Re: Hacker IP's |
|
Here's some hack attempts on my site, from today, if you're interested:
[195.94.6.157]
/modules.php?name=coppermine&file=searchnew&startdir=../..
[81.176.148.99]
/modules.php?name=News&file=article&sid=32\\\'%20union%20select%20pwd%20from%20nuke_authors%20where%20name=\\\'God\\\'/*\\\'
[24.54.183.110]
/modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20
[195.230.170.16]
/modules.php?name=News&new_topic=31337\\\'%20UNION%20SELECT%20pwd%20from%20nuke_authors%20where%20name=\\\'God\\\'/*\
If this is too specific, let me know, and I'll just furnish IP's in the future...
VinDSL's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
OS: Linux / Apache: 1.3.29 / MySQL: 4.0.20 / PHP: 4.3.8
|
|
| Back to top |
|
|
VinDSL
Newbie
Offline
Joined: Apr 21, 2004
Posts: 12
Location: Arizona (USA)
|
Posted: Thu May 06, 2004 1:01 am
Post subject: Re: Hacker IP's |
|
Heh! Fresh from the Ban List - 2 minutes old...
[216.236.118.131]
/modules.php?name=coppermine&file=searchnew&startdir=../..
VinDSL's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
OS: Linux / Apache: 1.3.29 / MySQL: 4.0.20 / PHP: 4.3.8
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Thu May 06, 2004 1:20 am
Post subject: Re: Hacker IP's |
|
CET
[Wed May 5 02:47:34 2004] [error] [client 69.81.41.16] File does not exist: /default.ida
[Wed May 5 01:06:39 2004] [error] [client 201.2.201.118] client denied by server configuration: /modules/coppermine/themes/default/theme.php
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
Jeruvy
Security Team
Offline
Joined: Apr 23, 2004
Posts: 1432
Location: Canada
|
Posted: Thu May 06, 2004 1:44 pm
Post subject: Re: Hacker IP's |
|
Unless I see TWO or MORE offenses from A IP, I refuse to block it.
Most of these are zombies....so who cares about blocking zombies.
I see some of those are spiders and web bots that you are blocking, not a wise idea....but to each web site, his own rules 
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
|
| Back to top |
|
|
VinDSL
Newbie
Offline
Joined: Apr 21, 2004
Posts: 12
Location: Arizona (USA)
|
Posted: Thu May 06, 2004 9:00 pm
Post subject: Re: Hacker IP's |
|
| Jeruvy wrote: |
| Unless I see TWO or MORE offenses from A IP, I refuse to block it. |
LoL! Sorry for parsing your sentence, but I suppose it depends on the meaning of 'I'...
'I' don't ban many IP's, however, 'I' have safeguards in place that DO ban IP's automatically, depending on the severity of the attack. 'UNION' injection attempts on most modules are simply reported, but other SQL injections trigger an immediate ban. Dittos for anyone accessing the admin modules. There is NO reason for that!
I agree with what you're saying, in principle, but I think automated security programs are better off killing them all and letting "god" sort them out...
VinDSL's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
OS: Linux / Apache: 1.3.29 / MySQL: 4.0.20 / PHP: 4.3.8
|
|
| Back to top |
|
|
|
|
Forum FAQ
Log in to check your private messages
Login
Search
